Security Series: Session Hijaking / Cookie Stealing

ASP.Net identifies users by means of session ID Cookie [ASP.Net_SessionID].  In case of form authentication it uses additional cookie called .ASPXAUTH.
   
    If an attacker get these cookies then they can impersonate as valid user. Eventhough modern browser restrit to alter these cookies if you access it from differnt site but if the attackers is able to inject the script in our page then they will gain the access to these cookies.
   
This attack can be prevented be these methods
Client IP Address Check:  

Track the client IP address on which the session has been initiated. Deny if the request if the client IP address is different from the initiated IP address. 
       
    Even though this is nice solution but it suite for corporate LAN scenario but not suitable for Internet application. It will reject the client request in these scenarios
        * Connection has been reset and client go new IP Address.
        * ISP provider process all the HTTP through different set of load balance proxy server.
       
HTTPOnly Cookie: 

Mark a Cookie with HTTPOnly flag. This will hide the existance of the cookie to JavaScript but it will pass it with HTTP requests. Mark all the sensitive cookies as HTTPOnly ntill or unless you have a specific reason to access it through Javascript.
       
    By default ASP.Net marks both ASP.Net_SessionID and .ASPXAUTH cookies as HTTPReadonly. You can set it HTTPOnly as mentioned below
       
    Response.Cookies.Add(new HttpCookie("Cookie1")
    {
        Value = "Values",
        HttpOnly = true
    });
   
    It’s not a complete defense against cookie stealing, because you might still inadvertently expose the cookie contents elsewhere.

References

1. Pro ASP.Net MVC 3 Framework by Adam Freeman & Steven Sanderson

2. https://www.owasp.org/index.php/Session_hijacking_attack

Book: The Passionate Programmer

The Passionate Programmer by Chad Fowler. 

It is an amazing book ever programmer should read and it will change the perception and give different dimension about the Programming.

As the author is also a Saxophone player, he correlate the Programmer with Musician in most of the places.  It become easy to understand the concepts or the underlying message clearly.

In this book he discuss about the general mindset of the programmers and how to overcome the huddles and keep them up to the mark. 

He also emphasis that every programmer should do Analysis / Invest / Execute / Market / Maintain in order to sustain in this field for longer period and enjoy programming.

I like the Chapter 13 (Find a Mentor) and Chapter 14 (Be a Mentor) and realized the importance of mentor in the Software field and how teaching others will help you.

I hope I got this book on right time :) and it is an eye-opener for me.

The Passionate Programmer - FlipKart