Best practices for session state and cookies in ASP.NET application

Session state best practices:

  • Reconfigure the default session id name in order to obfuscate the true meaning of the cookie value. In the case of ASP.NET, the default name is ASP.NET_SessionId. This immediately gives away that the application is ASP.NET and that that cookie contains the session id value.
  • Ensure the length of the session id is long enough to prevent brute force attacks. Recommended length is 128 bits.
  • Ensure the session id is created in a truly random way. This ensures that attackers can’t guess the session id due to some predictability analysis.
  • Ensure that the session id does not contain any additional sensitive data. Instead, the value should be nothing more than a random string of characters with no meaning other than the session id as a whole.
  • HTTPS should be employed for all session based applications handling sensitive data.
  • Session cookies should be created with the Secure and HttpOnly attributes set.
  • Prevent concurrent sessions where possible.
  • Destroy sessions upon timeout, logoff, browser close or log-in from a separate location.

Cookie best practices:

  • Do not store any critical information in cookies. For example, do not store a user’s password in a cookie, even temporarily. As a rule, do not keep anything in a cookie that, if spoofed, can compromise your application. Instead, keep a reference in the cookie to a location on the server where the information is.
  • Set expiration dates on cookies to the shortest practical time you can. Avoid permanent cookies if possible.
  • Consider encrypting information in cookies.
  • Consider setting the Secure and HttpOnly properties on the cookie to true.

.
Code examples

In order to implement best practices for cookies, add the code lines below into your application.

Web.config file:

<system.web>
<sessionState regenerateExpiredSessionId="false" cookieless="UseCookies" cookieName="id" />
</system.web>

Code-behind file:

Response.Cookies.Add(new HttpCookie("id", ""));
Response.Cookies["id"].HttpOnly = true;
Response.Cookies["id"].Secure = Convert.ToBoolean(ConfigurationManager.AppSettings["SecureCookie"]);

References:

Leave a Reply