1. Session Identifier Not Updated Appscan Download
2. Session Identifier Not Updated Appscan Windows 7
3. Session Identifier Not Updated Appscan Windows 10
4. Session Identifier Not Updated Appscan Software

If any of the Session Identifiers is not updated when AppScan logs in (or when it sends the in-session page check), AppScan will flag the Session Identifier Not Updated vulnerability. This vulnerability may be a False Positive in the following two cases: AppScan fails to login into the application. Is there more reference material for 'Session Identifier Not Updated' and 'Session Not Invalidated After Logout' tests in relation to a ASP.NET environment for working in IBM Security Appscan Standard?

Expected behavior: If no session cookies exist in the request, AppScan shouldn't flag the 'not updated' issue Observed behavior: AppScan flags the 'Session Identifier Not Updated' issue if there are no session cookies in the request Workarounds (if applicable): N/A Reproduction Steps: Scan a site with no session cookies before the welcome page (post login) Additional Technical detail: N/A. I know that mojoPortal-based sites do not change the Session Id after a user signs in to the site - the browser just gets an authentication cookie. However, I've been told by our security team that an AppScan of our site has flagged this unchanged Session Id as a serious vulnerability. Re: Session Identifier Not updated This is the accepted answer. This is the accepted answer. It does return a 200 however.js and.axd handlers do not implement IRequiresSession so therefore the cookie is never used nor would the requests have access to session. Typically there are one of two causes for a Session Identifier not Updated false positive:. The scan do have enabled and or configured a Recorded Login with in-session detection. See the technote on In-Session Detection.; The scan may have cookies or parameters, which are not actually session identifiers, flagged as tracked, so the test isn't actually applicable.

Recently we had a security scan(IBM AppScan) in one of our ASP.NET Application where it reported a Medium vulnerability as follows

Session Identifier Not Updated
Severity: Medium
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: Insecure web application programming or configuration.

And the suggested fix by the tool for ASP.NET is

For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

We have SSL Certificates installed for our application and made sure all the cookies(session,authentication and AntiForgeryToken) are secure(RequireSSL='True')-HttpOnly and also implemented Microsoft's Recommendation for Mitigating CSRF Vulnerability as mentioned in Microsoft CSRF Fix.

My question here is that even with SSL Certificates and Traffic is over Https is it still possible to hijack a session? and since i am already using a secondary Secure-Httponly cookie(AntiForgeryToken) what else do i have to do to make the application more secure?

2 Answers

Not sure if you are using Form's Authencation, but you can try doing the below when a user logs out:

this will force a new value for the cookie Id when they try to hit the site after logging out. to see this working, you can use Google Chrome, open your application and hit F12 to bring up the developer tools. Look under the Resources tab there is a Cookie item under that you should see your site's cookie. Check the value as you login and surf the site, after logging out the above code should force the id to change. otherwise even after logging out it stays the same, which is what the appscan sounds like it's asking you to fix.

Ms office 2007 windows 10 64 bit. Feb 10, 2017  Will my Office 2007 programs run in a Windows 10 64 bit environment? I have a MS Office 2007 CD and a newly acquired ASUS notebook that runs a 64 bit Windows 10 OS. Will these 2 be compatible and if not what is the best approach?

In general it’s best to avoid using Session variables in ASP.NET applications for a number of reasons, not foremost among those to maintain balance across load-balanced servers.

There are a number of alternatives to using AntiForgeryTokens stored in session as part of the Synchroniser Token Pattern. One method gaining traction is the Encrypted Token Pattern, implemented by a Framework called ARMOR. The premise here is that you need neither Session nor cookies in order to maintain CSRF protection. It won’t be impacted by SSL Certificates.

Not the answer you're looking for? Browse other questions tagged asp.netsslantiforgerytokenhttponlyrequiressl or ask your own question.

Question & Answer

Question

Is there more reference material for 'Session Identifier Not Updated' and 'Session Not Invalidated After Logout' tests in relation to a ASP.NET environment for working in IBM Security Appscan Standard?

Cause

Currently, the Advisory and Fix Recommendation only contains information pertaining to PHP, and not for ASP.NET .

Answer

There is limited information in the Advisory and Fix Recommendation for the below tests in Appscan Standard with regards to ASP.NET issues:

Session Identifier Not Updated Appscan Download

• Session Identifier Not Updated
• Session Not Invalidated After Logout
  

Session Identifier Not Updated Appscan Windows 7

Related URL

Session Identifier Not Updated Appscan Windows 10

Document Information

Session Identifier Not Updated Appscan Software

Modified date:
19 September 2018