Hello,

I am developed VS2012 with MVC4. got error Session Identifier Not Updated with IBM Security AppScan.

I tried to change cookie: __RequestVerificationToken after user log, Here is the code:

                    Session.Abandon();

                    Response.Cookies.Add(new HttpCookie(AntiForgeryConfig.CookieName, Guid.NewGuid().ToString()));

I saw __RequestVerificationToken  value changed but IBM app scan still reported same error.

Please help.

Thanks.

Have you tried [ValidateAntiForgeryToken] attribute, instead of manually setting cookie. Also please take a look at this blog post

Session Fixation & Forms Authentication Token Termination in ASP.NET

I added  [ValidateAntiForgeryToken] attribute, but got the error also.

Thanks for quick response.

MSFan

got error Session Identifier Not Updated with IBM Security AppScan.

Hi MSFan,

With the description, I see the issue caused by a application scan tool with session fixation which can be a session hijack

when occur by user login. Current solution as below:

"For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach,

set a  secondary cookie on the user’s browser to a random value and set a  session variable to the same value. If the session

variable and the  cookie value ever don’t match, invalidate the session, and force the  user to log on again."

When a user logout, you can use below code :

        Session.Abandon();
        // in case a attacker has forced a cookie with a future expiration date, expire that cookie as well
        Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-30);
        Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

this will force a new value for the cookie Id when they try to hit the site after logging out.

Hope this helps, thanks.

Best Regards!

I tried logout , it is not helpful.

"For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach,

set a secondary cookie on the user’s browser to a random value and set a session variable to the same value. If the session

variable and the cookie value ever don’t match, invalidate the session, and force the user to log on again."

How to code it on MVC?

Thanks.

MSFan

How to code it on MVC?

You can do this in a filter. Please take a look at this post

Session Fixation & Forms Authentication Token Termination in ASP.NET