Session variables that are not cleared after Session.Clear () and Session.Abandon () in ASP.NET

Question

Session variables that are not cleared after Session.Clear () and Session.Abandon () in ASP.NET

After performing penetration tests on our site, our IT security indicated that the session ID on our server is not cleared after logging out.

our code for clearing the session looks like this:

Session.Clear()
Session.RemoveAll()
Session.Abandon()

Dim Cookie1 As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, "")
Cookie1.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(Cookie1)

Dim Cookie2 As HttpCookie = New HttpCookie("ASP.NET_SessionId", "")
Cookie2.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(Cookie2)

FormsAuthentication.SignOut()
FormsAuthentication.RedirectToLoginPage()

We confirmed this by logging into UserA and creating a cookie based on that login. After logging out UserA, we register UserB and as expected, we have acquired all the session values stored in UserA's sessionID.

Is there any other way to clear the session data?

+3

vb.net asp.net session session-variables

John Michael Tolentino Jul 14 15 at 3:06

source to share

2 answers

joehanna · Answer 1 · 2015-07-14T06:26:28+0000

According to the MSDN , Session.Clear

and Session.RemoveAll

do the same thing. You must call this before you call Clear

:

System.Web.Security.FormsAuthentication.SignOut()

joehanna · Answer 2 · 2015-07-15T04:11:33+0000

Please view this comprehensive page from the Microsoft support site. He speaks directly to what you are trying to do. It has a very good explanation of how sessions can stay in tactics, etc.

It uses logic in the Login.aspx page to destroy sessions and cookies to overcome spoofing.

Note: The example is in C # but can be easily converted to VB. Let me know if you need help.

https://support.microsoft.com/en-us/kb/899918

Session variables that are not cleared after Session.Clear () and Session.Abandon () in ASP.NET

More articles: