Session state best practices:
- Reconfigure the default session id name in order to obfuscate the true meaning of the cookie value. In the case of ASP.NET, the default name is ASP.NET_SessionId. This immediately gives away that the application is ASP.NET and that that cookie contains the session id value.
- Ensure the length of the session id is long enough to prevent brute force attacks. Recommended length is 128 bits.
- Ensure the session id is created in a truly random way. This ensures that attackers can’t guess the session id due to some predictability analysis.
- Ensure that the session id does not contain any additional sensitive data. Instead, the value should be nothing more than a random string of characters with no meaning other than the session id as a whole.
- HTTPS should be employed for all session based applications handling sensitive data.
- Session cookies should be created with the Secure and HttpOnly attributes set.
- Prevent concurrent sessions where possible.
- Destroy sessions upon timeout, logoff, browser close or log-in from a separate location.
Cookie best practices:
- Do not store any critical information in cookies. For example, do not store a user’s password in a cookie, even temporarily. As a rule, do not keep anything in a cookie that, if spoofed, can compromise your application. Instead, keep a reference in the cookie to a location on the server where the information is.
- Set expiration dates on cookies to the shortest practical time you can. Avoid permanent cookies if possible.
- Consider encrypting information in cookies.
- Consider setting the Secure and HttpOnly properties on the cookie to true.
In order to implement best practices for cookies, add the code lines below into your application.
<system.web> <sessionState regenerateExpiredSessionId="false" cookieless="UseCookies" cookieName="id" /> </system.web>
Response.Cookies.Add(new HttpCookie("id", "")); Response.Cookies["id"].HttpOnly = true; Response.Cookies["id"].Secure = Convert.ToBoolean(ConfigurationManager.AppSettings["SecureCookie"]);