The web application I am working on does not destroy sessions properly, which means it is very prone to hijacks. I can log off, enter in the cookies .EpiserverLogin and .ASPXRoles and im inside the application again. My current code for destroying sessions is as follows:
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
HttpContext.Current.Session.RemoveAll();
HttpContext.Current.User = null;
System.Web.Security.FormsAuthentication.SignOut();
Any help as to what I am doing wrong is greatly appriciated!
EDIT: Here is my authentication in my web.config
<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="CustomLogin.aspx" timeout="50" />
</authentication>
And this is how I validate users logging in:
var validated = Membership.ValidateUser(username, password);
if (validated)
{
FormsAuthentication.SetAuthCookie(username, true);
Response.Redirect("/");
}
Sessions and authentication cookies aren't really related. The authentication cookie tells the web server what user the request comes from, if the user is logged in. If the session has timed-out due to inactivity (default after 20 minutes unless it's changed), a new session for the user is created on the next request.
If you want to tie an authentication cookie to a specific session, you could solve that by generating your own FormsAuthenticationTicket and setting userData to the session ID. Then encrypt the ticket and create a cookie and send it to the client. Then, on each request, decrypt the ticket and make sure the userData value is the same as the session id. If not, do a Session.Abandon() and then a FormsAuthentication.SignOut(). Even if the cookie is restored, the session id will have changed when a new session is created.
This solution will not work if you are on a load-balanced solution and use InProc session state.