Hi Everyone,
I faced a great issue with app sec team that they asked for apply the path attribute for the cookie in ASP.Net.
I am sharing my experience with you, hope it may help you.
IIS will create a cookie automatically named ASP.NET_SESSIONID. when we set the attributes for this cookie then only our site is Safety on session fixation technique.
Lets see how to fix them.
The default cookie is "ASP.NET_SESSIONID", which created by IIS.
If you dont want this cookie means you have to create a new one.
To create a new cookie add cookieName='<your cookie name>' in sessionstate tag in web.config.
then your cookie is created.now you have to set the attributes for your cookie.
By default, path attribute is '/', When we leaving this, our application is not a safety one. the hacker can use all the folder of our application. To avoid and protect our application we have to set the path attribute more accurately.
Add the below code in Session_start() in Global.asax file.
If Not (Request.IsSecureConnection) Then
Response.Cookies("<your cookie name>").Path = "<your application name>"
End If
You should be very careful on fixing the path "<your application name>". It should be your virtual directory name or the path of the folder where your application exists.
For example:
If your application path is http://192.168.257.259/test/default.aspx means <your application name> should be '/test/'.
If you application path is http://192.168.257.259/test/child/default.aspx means <your application name> should be '/test/child/'
I faced a great issue with app sec team that they asked for apply the path attribute for the cookie in ASP.Net.
I am sharing my experience with you, hope it may help you.
IIS will create a cookie automatically named ASP.NET_SESSIONID. when we set the attributes for this cookie then only our site is Safety on session fixation technique.
Lets see how to fix them.
The default cookie is "ASP.NET_SESSIONID", which created by IIS.
If you dont want this cookie means you have to create a new one.
To create a new cookie add cookieName='<your cookie name>' in sessionstate tag in web.config.
then your cookie is created.now you have to set the attributes for your cookie.
By default, path attribute is '/', When we leaving this, our application is not a safety one. the hacker can use all the folder of our application. To avoid and protect our application we have to set the path attribute more accurately.
Add the below code in Session_start() in Global.asax file.
If Not (Request.IsSecureConnection) Then
Response.Cookies("<your cookie name>").Path = "<your application name>"
End If
You should be very careful on fixing the path "<your application name>". It should be your virtual directory name or the path of the folder where your application exists.
For example:
If your application path is http://192.168.257.259/test/default.aspx means <your application name> should be '/test/'.
If you application path is http://192.168.257.259/test/child/default.aspx means <your application name> should be '/test/child/'
