How to save session id and validate it with another session id when user log in to the application from new browser

Tushar Gupta 1

Hi Support,

I want to save the UserId and SessionID. When the user logs into the application with the same URL in another browser then I need to validate that the SessionID is not the same when logging into the application in another browser.

I tried saving the SessionID in sessions but when the user logs in to the application from another browser the session gets null so I couldn't validate it from the current SessionId.

The same happened with the cookies as well.

Problem Remediation:
"User cookies should be validated during login to the application and if there is an existing session with the same cookie, then try to assign a new session cookie and Validate the user credential again."

https://owasp.org/www-community/attacks/Session_hijacking_attack

Please suggest a solution.

Lan Huang-MSFT 25,556 Reputation points Microsoft Vendor

2024-03-29T09:38:31.9433333+00:00

Hi @Tushar Gupta,

What project are you using?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
AgaveJoe 26,201 Reputation points

2024-03-29T11:43:22.3533333+00:00

The solution is to use cookie authentication not Session to authorize access to resources.
Tushar Gupta 1 Reputation point

2024-03-29T11:46:10.3433333+00:00

When an application gets started the "ASP.NET_SessionId" is there in the cookies. So, how can we validate if there is already an existing session present on the same SessionId in a different browser?
AgaveJoe 26,201 Reputation points

2024-03-29T14:14:53.2566667+00:00

When an application gets started the "ASP.NET_SessionId" is there in the cookies. So, how can we validate if there is already an existing session present on the same SessionId in a different browser?

That's not how Session works. The session ID does not persist until it is assigned. Again, I would follow standards and use an authentication cookie which is what the problem remediation seems to be referring to.

At the time the user logs in set a GUID in the user account table along with the last access DateTime. Also, store the GUID in the user's authentication cookie. Every time the user accesses the site, check if the GUID matches and set the last access DateTime to the current date. When the same user tries to login on with a different browser, the login code checks the the last access DateTime. If the time is less than, let's say 5 minutes, then it can be assumed the user is already logged in.

Another option is to let the last successful login win. In this this case, when the second user logs in, they get to set the GUID. Since the GUID has changed the first user's GUID will not match.

ASP.NET Identity has the feature.

https://learn.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity
SurferOnWww 1,911 Reputation points

2024-04-06T00:44:49.38+00:00

So, how can we validate if there is already an existing session present on the same SessionId in a different browser?

It is virtually impossible. I suggest that you consider using the ASP.NET Identity for user authentication in which authentication cookie is used to identify the user.

1 answer

Bruce (SqlWork.com) 56,031 Reputation points

2024-04-05T21:48:24.6433333+00:00

by default, the session id is stored in a session only cookie (only current browser instance and not saved to persist store) as is the Authentication token. this means two browser instances will have two sessions in asp.net. two tabs in the same instance will share session and authentication cookies.

you should be using ssl to prevent man in the middle attacks and session sniffing.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment