Sessions are not properly destroyed when users log out

Vote:
 

Hello

The web application I am working on does not destroy sessions properly, which means it is very prone to hijacks. I can log off, enter in the cookies .EpiserverLogin and .ASPXRoles and im inside the application again. I am wondering if there is something unique with EPiServer in how we must destroy our sessions. My current code for destroying sessions is as follows:

  protected void MasterLoginStatus_LoggingOut(object sender, LoginCancelEventArgs e)
        {

            HttpContext.Current.Session.Clear();
            HttpContext.Current.Session.Abandon();
            HttpContext.Current.Session.RemoveAll();
            System.Web.Security.FormsAuthentication.SignOut(); 
        }

Any help would be greatly appriciated!

#114326
Dec 10, 2014 10:13
Vote:
 
<p>I&rsquo;m definitely not a security expert, but my understanding is that signout method helps you clean up cookies from client&rsquo;s browser. If you restore cookies back (they are not expired) I guess there is no way that server can predict that you just deleted the cookies, and then restored them back. Your new request with newly added cookies back will not differentiate from request made with original cookies. Session hijack what you are referring to is more about securing the cookie (and how hijacker will gain access to your cookie). More inspiration could be found - <a href="https://www.owasp.org/index.php/Session_Management_Cheat_Sheet">https://www.owasp.org/index.php/Session_Management_Cheat_Sheet</a>, <a href="http://www.troyhunt.com/2010/07/owasp-top-10-for-net-developers-part-3.html">http://www.troyhunt.com/2010/07/owasp-top-10-for-net-developers-part-3.html</a>.</p> <p>Do you see that the same session is restored (the same Id and content)? I guess cleaning the session and getting back authenticated in the site and not really related cases.</p> <p>&nbsp;</p>
#114344
Dec 10, 2014 14:15
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.