Last post Jul 21, 2015 09:03 PM by Em Tolentino
Jul 13, 2015 06:04 AM|Em Tolentino|LINK
After running penetration tests on our site, our IT Security pointed out that session id's on our server doesn't get cleared out after the users log out.
our code to clear the session is as follows:
Dim Cookie1 As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, "")
Cookie1.Expires = DateTime.Now.AddYears(-1)
Dim Cookie2 As HttpCookie = New HttpCookie("ASP.NET_SessionId", "")
Cookie2.Expires = DateTime.Now.AddYears(-1)
We confirmed this by having UserA log in and forging cookies based on that login. After UserA logs out, we log in UserB and as expected, we acquired all the session values stored in UserA's sessionID.
Is there any other way to clear the session data?
Thanks in advance!
Jul 13, 2015 08:36 AM|Rion Williams|LINK
The Session.Clear() and Session.Abandon() methods should both be sufficient and the FormsAuthentication.SignOut() method should do it's job clearing out any authentication-related cookies as well.
So you should be able to use the following which should ensure everything gets cleared out :
I suppose that caching could be a possible culprit in this case, but as far as the code that you provided, that should be sufficient.
Jul 13, 2015 09:26 AM|Em Tolentino|LINK
Jul 13, 2015 09:42 AM|Rion Williams|LINK
We did set caching to no-store and disabled kernel cache before the said test... do we need to renable the cache?
This should be fine, my concern was that caching was actually enabled and was causing some artifact data to be served from the cache when it shouldn't be.
The only time the session gets cleared is when the session timeout is reached
The Session should be getting cleared via the Session.Abandon() or Session.Clear() methods, however it's important to remember that these are not going to be performed until AFTER the request they are called in has completed. Could you post an example of
code where you are calling / referencing the Session?
Jul 13, 2015 07:09 PM|Em Tolentino|LINK
We store data to session like this
Session("UserData") = txtUserData.Text
then we retrieve the data by
txtUserData.Text = Session("UserData")
If I am not mistaken, we should be getting null values on the keyes after Session.Clear() is called. But even that doesn't happen.
Jul 14, 2015 08:31 AM|Rion Williams|LINK
If I am not mistaken, we should be getting null values on the keyes after Session.Clear() is called.
Are you attempting to retrieve the values within the same request like the following example :
txtExample.Text = Session("ExampleKey")
I'm not sure if both the Clear and Abandon methods both are not executed until the current request has completed, but that may be the case. However, if the access is accessed in a subsequent request, it should be empty.
Jul 14, 2015 09:36 AM|Em Tolentino|LINK
Jul 20, 2015 07:17 AM|meeyourmark|LINK
Hi tolentino ,
session.clear:Removes all keys and values from the session-state collection.
session.abandon:removes all the objects stored in a Session .
Have you solved your problem?I think if using session.clear and abandon ,it will clear the session,too strange ..
Jul 20, 2015 08:10 AM|mr.rahulmaurya|LINK
Hi Em Tolentino,
use following code on every page load on which login mandatory:
The above code clear any cache of data in the browser.
For more follow the link http://www.niceonecode.com/Q-A/DotNet/CSharp/How-to-implement-Session-in-C-sharp/20098
Jul 21, 2015 02:07 PM|PatriceSc|LINK
What do you see exactly ? Have you tried a test page showing the current date/time and perhaps one button to create a session variable and one button to clear them (and when you click one of those button it does the action and then show again all session
variables). You should really see that it works.
Or could it be that you are suign something like the browser back button etc? Ah and your session provider is ?
Jul 21, 2015 09:03 PM|Em Tolentino|LINK
Thanks for all your responses. The issue on the session was resolved but we still don't know the exact reason why this is happening. We redid the process of logging and verifying the users. The process was still similar to the old one but, just as strange,
the session problem disappeared. I am still on the process of comparing the old code with the new one.
I will post on the findings if we pinpoint the exact culprit causing the session to persist.