Session variables that are not cleared after Session.Clear () and Session.Abandon () in ASP.NET
After performing penetration tests on our site, our IT security indicated that the session ID on our server is not cleared after logging out.
our code for clearing the session looks like this:
Session.Clear()
Session.RemoveAll()
Session.Abandon()
Dim Cookie1 As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, "")
Cookie1.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(Cookie1)
Dim Cookie2 As HttpCookie = New HttpCookie("ASP.NET_SessionId", "")
Cookie2.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(Cookie2)
FormsAuthentication.SignOut()
FormsAuthentication.RedirectToLoginPage()
We confirmed this by logging into UserA and creating a cookie based on that login. After logging out UserA, we register UserB and as expected, we have acquired all the session values ββstored in UserA's sessionID.
Is there any other way to clear the session data?
source to share
Please view this comprehensive page from the Microsoft support site. He speaks directly to what you are trying to do. It has a very good explanation of how sessions can stay in tactics, etc.
It uses logic in the Login.aspx page to destroy sessions and cookies to overcome spoofing.
Note: The example is in C # but can be easily converted to VB. Let me know if you need help.
source to share