Failure to abandon session¶
ID: cs/session-reuse
Kind: problem
Security severity: 8.8
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-384
Query suites:
- csharp-code-scanning.qls
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Reusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.
Recommendation¶
Always call HttpSessionState.Abandon() to ensure that the previous session is not used by the new user.
Example¶
The following example shows the previous session being used after authentication. This would allow a previous user to use the new user’s account.
public void Login(HttpContext ctx, string username, string password)
{
if (FormsAuthentication.Authenticate(username, password)
{
// BAD: Reusing the previous session
ctx.Session["Mode"] = GetModeForUser(username);
}
}
This code example solves the problem by not reusing the session, and instead calling Abandon() to ensure that the session is not reused.
public void Login(HttpContext ctx, string username, string password)
{
if (FormsAuthentication.Authenticate(username, password)
{
// GOOD: Abandon the session first.
ctx.Session.Abandon();
}
}
References¶
MSDN: ASP.NET Session State Overview, HttpSessionState.Abandon Method ().
Common Weakness Enumeration: CWE-384.