You must Sign In to post a response.
  • Category: ASP.NET

    How do Broken Authentication and Session Management

    Hi,

    Finaly our project has been lounch in nic. Before nic louch our software has been
    audited by them. So they have required pre cookies and post cookies. We have tried it
    but problem is if we tried to change cookies name then it is affected our session value
    so we are not getting user name and information to display who name and login information
    per page when, he is opening for data entry or view..

    So how solved following solution....

    The following solution can be implemented for fixing the session fixation flaw & Improper Cache control:

    I. Follow a secure session management lifecycle which includes proper initialization, maintenance, authentication and termination of the session token.

    II. Application should generate different tokens for pre authentication and post authentication. The first time a user visits this web site, he/she is given a
    session token by the web site. Now when the user attempts to login, the same session token is used while processing this request. After the login process,
    if the web site doesn't
    allocate a fresh session token to the user, the user is prone to session fixation attack. So it is mandatory for the web site to provide a
    unique, random and fresh session token after the user has authenticated to the web site.

    III. Do not allow the login process to start from an unencrypted page. Always start the login process from a second, encrypted page with a fresh
    or new session token to prevent credential or session stealing, phishing attacks and session fixation attacks.

    IV. Consider regenerating a new session upon successful authentication or privilege level change.

    V. Only use the inbuilt session management mechanism. Do not write or use secondary session handlers under any circumstances.

    VI. Do not accept new, preset or invalid session identifiers from the URL or in the request. This is called a session fixation attack.

    VII. The session tokens given to the user before the authentication process should be different from session tokens that are given to the user after
    the user has authenticated.
  • #767612
    Hi,

    As per my understanding this is not a place to post this in Forum section, I may suggest you to post the same in Article section that will reach no of people those who are looking for the same, any how nice to hear that you are split your authentication into 2 part like "preAuthentication / PostAuthentication".

    If possible provide sample piece of code, that will reach more people.

    --------------------------------------------------------------------------------
    Give respect to your work, Instead of trying to impress your boss.

    N@veen
    Blog : http://naveens-dotnet.blogspot.in/

  • #767613
    hi,

    We are going auditing on the our software. So When we login fist time, it is create our own
    cookie and after login our cookies is not change. So it is chance to hacking the our cookies
    site. means he can paste our cookie which we have storing user name and password.

    So our auditor tell us to change a cookies value after login.
    But problem is that if we change cookies values then we can't access session values. Because of
    our another page are checking session values for authotentication for user. No We want if our
    cookies values ('KONKAN' is name of cookies/session) change it should not affected on our
    session values..


    here code:.
    It is create cookies----

    private void CreateCookie()
    {
    string encryptedTextKonkan;
    //string encryptedTextAsp;

    FormsAuthenticationTicket konkanTicket;
    //FormsAuthenticationTicket aspTicket;

    Session.Abandon();

    konkanTicket = new FormsAuthenticationTicket(1, "konkan", DateTime.Now, DateTime.Now.AddSeconds(15), false, "");
    //aspTicket = new FormsAuthenticationTicket(1, "asp", DateTime.Now, DateTime.Now.AddSeconds(15), false, "");

    encryptedTextKonkan = FormsAuthentication.Encrypt(konkanTicket);
    //encryptedTextAsp = FormsAuthentication.Encrypt(aspTicket);

    if (encryptedTextKonkan.Trim().Length > 50)
    {
    encryptedTextKonkan = encryptedTextKonkan.Substring(0, 50);
    }

    //if (encryptedTextAsp.Trim().Length > 50)
    //{
    // encryptedTextAsp = encryptedTextAsp.Substring(0, 50);
    //}

    Response.Cookies.Add(new HttpCookie("KONKAN", encryptedTextKonkan.ToLower()));
    //Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", encryptedTextAsp.ToLower()));
    }


    User access method
    ==================
    private void ValidateUserCredentials()
    {
    DataTable source;

    UserEntity userEntity;
    UserLogic userLogic;
    int blockedUserName = 0;
    string pwdDecrypt = string.Empty;

    try
    {
    userEntity = new UserEntity();
    userLogic = new UserLogic();

    userEntity.UserName = this.tbUsername.Text;

    //if already user locked/block
    blockedUserName = userLogic.SelectIsUserNameBloked(userEntity);

    if (blockedUserName == 1)
    {
    //Give your message or what ever you want
    string text = "\\n Kindly Contact System Administrator.";
    ScriptManager.RegisterStartupScript(this, this.GetType(), "Msg", "alert('Your Account has been locked." + text + "');", true);

    this.tbUsername.Text = string.Empty;
    this.tbPassword.Text = string.Empty;
    this.tbTest.Text = string.Empty;

    this.tbUsername.Focus();

    return;
    }

    //if user try login 3 times
    source = userLogic.SelectUserMasterCredentials(userEntity);

    //if Data Exists
    if (this.tbUsername.Text != string.Empty && this.tbPassword.Text != string.Empty)
    {
    if (source.Rows.Count > 0)
    {
    pwdDecrypt = GM.DecryptStringAES(tbPassword.Text.Trim());

    if (Convert.ToString(source.Rows[0]["USER_NAME"]) == this.tbUsername.Text.ToString() && GM.DecryptPassword(Convert.ToString(source.Rows[0]["PASSWORD"]), Convert.FromBase64String(source.Rows[0]["SALT"].ToString()), Convert.FromBase64String(source.Rows[0]["IV"].ToString())) == Convert.ToString(pwdDecrypt))
    {
    Session["CMS_USER_ID"] = Convert.ToString(source.Rows[0]["ID"]);
    Session["PROFILE_ID"] = Convert.ToString(source.Rows[0]["PROFILE_ID"]);
    Session["CMS_USER_NAME"] = Convert.ToString(source.Rows[0]["USER_NAME"]);
    Session["PASSWORD"] = Convert.ToString(source.Rows[0]["PASSWORD"]);

    if (this.tbPassword.Text.ToString().ToUpper() == "ALLIED007")
    {
    Response.Redirect("~/cms/ChangePassword.aspx", false);
    }
    else
    {
    Response.Redirect("~/cms/Home.aspx", false);
    }

    this.tbUsername.Text = string.Empty;
    this.tbPassword.Text = string.Empty;
    this.tbTest.Text = string.Empty;
    }
    else if (Convert.ToString(source.Rows[0]["USER_NAME"]) == this.tbUsername.Text.ToString() && GM.DecryptPassword(Convert.ToString(source.Rows[0]["PASSWORD"]), Convert.FromBase64String(source.Rows[0]["SALT"].ToString()), Convert.FromBase64String(source.Rows[0]["IV"].ToString())) != Convert.ToString(pwdDecrypt))
    {
    LoginAttempts++;
    Session["Login"] = Convert.ToInt32(Session["Login"]) + LoginAttempts;

    if (Convert.ToInt32(Session["Login"]) < 3)
    {
    ScriptManager.RegisterStartupScript(this, this.GetType(), "Msg", "alert('Invalid credentials. Please try again.');", true);

    this.tbUsername.Text = string.Empty;
    this.tbPassword.Text = string.Empty;
    this.tbTest.Text = string.Empty;

    this.tbUsername.Focus();

    return;
    }
    else if (Convert.ToInt32(Session["Login"]) == 3)
    {
    //Give your message or what ever you want
    string text = "\\n Kindly Contact System Administrator.";
    ScriptManager.RegisterStartupScript(this, this.GetType(), "Msg", "alert('Your Account has been locked." + text + "');", true);

    userLogic.UpdateUserNameBlock(userEntity);

    this.tbUsername.Text = string.Empty;
    this.tbPassword.Text = string.Empty;
    this.tbTest.Text = string.Empty;

    this.tbUsername.Focus();
    LoginAttempts = 0;
    //Session.Abandon();

    return;
    }
    }
    }
    }
    }
    catch (Exception ex)
    {
    throw ex;
    }
    finally
    {
    source = null;
    userLogic = null;
    userEntity = null;
    blockedUserName = 0;
    LoginAttempts = 0;
    pwdDecrypt = "";
    }
    }

  • #767618
    Secure session state:
    The session-state feature is enabled by default. While the default configuration settings are set to the most secure values, you should disable session state if it is not required for your application, When storing sensitive information in a configuration file for an application, you should encrypt the sensitive values using Protected Configuration. Information that is especially sensitive includes the encryption keys stored in the machineKey configuration element and data source connection strings stored in the connectionStrings configuration element
    for better details switch to below link
    https://msdn.microsoft.com/en-us/library/ms178201.aspx

    Thanks
    Koolprasd2003
    Editor, DotNetSpider MVM
    Microsoft MVP 2014 [ASP.NET/IIS]


Sign In to post your comments