Prevent Session Hijacking in asp.net mvc application

Question

How can we prevent session hijacking in an asp.net mvc application? The following steps were performed by the testers to hijack the session - OWASP A2.

1. Login as a low-privilege user.
2. Login as a admin user. (in a separate browser - from the same machine)
3. Copied the ASP.Net Session ID of the admin user
4. Replaced the ASP.Net Session ID of the low-prev user with the that of the admin user.

By doing the above steps, the low-prev user was able to access the admin areas of the app.

1. The application is hosted with SSL (https).
2. Cookies have been set to Secure and HttpOnly.
3. Cookies are set to expire on Session_End and Signout.

Still, I am able to reproduce the scenario explained above using Fiddler. Could someone please help on ways to arrest the above issue.

Thanks.

Answer 1

I would argue that if someone were able to still the cookie, then she should be able to log in. The mitigation should be using short-lived cookies for sensitive resources, and require the user to re-enter her credentials before doing any sensitive data. For example, setting a password, granting permissions etc. Also, you should make it hard to still a cookie - which seems like you already did. Worth also adding Same-Site), and keeping your site secure.