Stronger ASP.NET Session IDs

TL;DR

ASP.NET session IDs aren’t strong enough by default. This guide shows you how to make them much more secure, protecting your web application from hijacking.

Improving ASP.NET Session ID Strength

1. Understand the Problem: By default, ASP.NET uses a relatively short and predictable session ID. Attackers can potentially guess these IDs, gaining unauthorised access to user accounts.
2. Configure Session ID Length in web.config: The most important step is increasing the length of the session ID. Edit your web.config file.
   • Locate the <sessionState> section.
   • Add or modify the cookieless attribute to be true. This is *essential* for longer session IDs to work correctly. If you don’t do this, the increased length won’t take effect.
   • Add or modify the timeout attribute to a reasonable value (e.g., 20 minutes).
   • Add the following line within the <sessionState> section to increase session ID length:

     This sets the session ID to 32 characters. A value of 32 is a good starting point, but you can increase it further if needed.

3. Enable Encryption: Ensure your ASP.NET application is configured to encrypt session state. This prevents attackers from reading the session ID directly from cookies or server storage.
   • In web.config, within <sessionState>, check that encryption settings are present and correctly configured:

   • If you’re using machineKey, ensure it is properly set up with a strong key length and rotation schedule. Consider storing the machineKey securely (e.g., in Azure Key Vault).
4. Use Secure Cookies: Configure your cookies to be sent only over HTTPS.
   • In web.config, within <system.webServer><modules>, ensure you have a redirect rule forcing all traffic to HTTPS.
   • Set the requireSSL attribute in your <sessionState> section to true:

   • Set the HttpOnlyCookies attribute in your <sessionState> section to true. This prevents client-side scripts from accessing the session cookie.

5. Regularly Regenerate Session IDs: After critical actions (e.g., login, password change), regenerate the session ID to prevent fixation attacks.
   • In your ASP.NET code, use Session.Abandon() followed by redirecting the user back to the login page:

     Session.Abandon(); Response.Redirect("Login.aspx");

     This creates a new session ID.

6. Monitor for Suspicious Activity: Implement logging and monitoring to detect unusual session activity, such as multiple logins from the same account within a short timeframe or access from unexpected locations.