Click here to Skip to main content
15,885,366 members
Search within:


How to overcome Session Hijacking
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
C#
VB
ASP.NET
Hi,

I am using session for my pre and post login like below,

C#
// Login Page Code..

protected void page_onload(object sender, eventargs e)
{
   if(string.IsNullOrEmpty(Convert.Tostring(session["LoginId"])))
        session["LoginId"] = "Guest";
}


protected void page_btnLogin_Click(object sender, eventargs e)
{
   session["LoginId"] = "SomeUserId";
   response.redirect("PostloginPageURL");
}

// Post login Page Code..

protected void page_onload(object sender, eventargs e)
{
   if(!string.Equals(Convert.Tostring(session["LoginId"]),"SomeUserId"))
       response.redirect("loginPageURL");
   else
      //Fetch some code...
}


Above if you see, i am using same session to manage both my pre and post login. This may lead to session hijacking by using the session id.

So after a long time search i came to a conclution that one need to change the sessionId, because both pre and post login session has same sessionid.

Again doing some search i got the code of creating new sessionid as below
C#
protected void page_btnLogin_Click(object sender, eventargs e)
{
   session.Abandon();
   Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
   session["LoginId"] = "SomeUserId";
}


Above code is successful in generating new sessionid.
But i am unable to retrieve my saved value. i.e I am unable to get value of session on the other page.

I tried
all below:

Removed session.Abandon(); and checked ---> FAILED
Tried response.redirect("MyUrl",false) ---> FAILED
Tried Server.transfer("MyUrl") ---> FAILED

Valid answers are appreciated.

Thank you.
Posted
Add a Solution
Comments
Sazzad Hossain 7-Oct-11 6:09am    
could u pls explain why would u keep current user id in session? If you do forms authenticaion then the HttpContext.User will hold the user id anyway. That way would will not have to care with current session. When anyone signs out, u can just call Session.Clear..

3 solutions

This will regenerate your session ID and keeping the session data intact :) Try it out!

C#
void RegenerateId()
{
    var manager = new SessionIDManager();
    string oldId = manager.GetSessionID(Context);
    string newId = manager.CreateSessionID(Context);
    bool isAdd, isRedir;
    manager.SaveSessionID(Context, newId, out isRedir, out isAdd);
    var ctx = HttpContext.Current.ApplicationInstance;
    HttpModuleCollection mods = ctx.Modules;
    var ssm = (SessionStateModule)mods.Get("Session");
    var fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
    SessionStateStoreProviderBase store = null;
    FieldInfo rqIdField = null;
    FieldInfo rqLockIdField = null;
    FieldInfo rqStateNotFoundField = null;
    foreach (var field in fields)
    {
        if (field.Name.Equals("_store")) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
        if (field.Name.Equals("_rqId")) rqIdField = field;
        if (field.Name.Equals("_rqLockId")) rqLockIdField = field;
        if (field.Name.Equals("_rqSessionStateNotFound")) rqStateNotFoundField = field;
    }
    object lockId = rqLockIdField.GetValue(ssm);
    if ((lockId != null) && (oldId != null)) store.ReleaseItemExclusive(Context, oldId, lockId);
    rqStateNotFoundField.SetValue(ssm, true);
    rqIdField.SetValue(ssm, newId);
}
 
Share this answer
 
Posted
Comments
Md. Rashim Uddin 16-Sep-11 5:58am    
This might work...Good work
senthilkumar 79 18-Feb-15 8:00am    
It Works.. Thanks
Please have a look on that [^]
 
Share this answer
 
Posted
Updated 15-Sep-11 0:59am
v2
Comments
Muthu Nadar 15-Sep-11 9:08am    
Thank you for putting your valuable time in helping me...

I successfully change the session id. But what i need is, after changing the session id i am setting value to that session. While setting it get set. But when i postback the page the session value is lost.
Hi
You are using some wrong code

upto my knowledge you cannot do both abandon and invoke session variables in same request.b'coz the request is processed based on sessionID i hope you know this .thats y we cannot access that session variable in after dat request eventhough we assign in dat same request

but you can do in different requests like

first abandon the session in one page then redirect to another page
in that page you can invoke your session with another sessionID for post login users
 
Share this answer
 
Posted
Updated 15-Sep-11 0:49am
v2
Comments
Muthu Nadar 15-Sep-11 9:10am    
Thank you for putting your valuable time in helping me...

You are right with the concept.

But is there any way on managing the things.
Can u help me out by giving some tips on how can i overcome Session Hijacking.
Muthu Nadar 15-Sep-11 9:20am    
You must have seen the things which i tried.
I also removed the session.abandon() and i just changed the session id. Then also the value in the session is not saved.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Prevent Session Hijacking
What is session hijacking in ASP.NET ?
Session Hijacking? X-Forwarded-For, different between Login and subsequent request
How to avoid Sessionn hijacking in asp.net
How to avoid DLL hijacking in WPF application
How to overcome the error?
overcome error in File.Writeline
Site redirection / hijack
How to i overcome this error
how to overcome cons in SSCANF

Advertise
Privacy
Cookies
Terms of Use
Last Updated 16 Sep 2011
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900