Home/ Questions/Q 8776323
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T19:01:36+00:00

We have had a security test against our site, and a vulnerability has been

  • 0

We have had a security test against our site, and a vulnerability has been identified.

Issue

If the session identifier were known by an attacker who had access to
the user’s workstation, the logged out session could be accessed using
the session cookie after the user had terminated their session.

Recommendation

Ensure that session identifiers are correctly terminated on the server
side when the logout function is invoked.

Code

The code currently does this (if a user clicks the “logout button”)

        FormsAuthentication.SignOut();
        Roles.DeleteCookie();
        Session.Clear();

I’m not sure how to check “ensure that session identifiers are correctly terminated on the server side when the logout function is invoked.”

I’ve done some research and think I should I be doing this instead?

        Session.Abandon();

If not, what should I be doing? (I’m not entirely sure how to test this…)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In ASP.net Session.Abandon() is not sufficient for this task, it does not remove the session ID cookie from the user’s browser, so any new request to the same application, after the session is abandoned, will use the same session ID and a new Session State instance! As Microsoft states here. You need to abandon the session and clear session ID cookie:

    Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

    It’s also a good practice to change the Form Authentication cookie name, in your web.config file:

    <authentication mode="Forms">
  <forms name=".CookieName" loginUrl="LoginPage.aspx" />
</authentication>

    Here’s a good article on Session Attacks and ASP.NET and how to resolve it.

    • 0