Franc Stratton's .NET (TM) Web Application, OOP, and SOA Architecture & Programming Site

A site devoted to ASP.NET (TM), SilverLight (TM) and Browser-Based WPF (TM) Applications, IIS Services, and OOP Architectures
Home     Architecture Overview     WF/WCF/WPF     Data Store     Standards     .NET Security     Resources     jQuery     Silverlight     Developer Tips     Blog     Site Map      
Input validation
Authentication
Forms Authentication
Authorization
Configuration Mgt
Sensitive Data
Session Mgt
Cryptography
Parameters
Exception Mgt
Auditing/Logging
SQL Injection
Cross-site Scripting
String Validation
Session management methodologies to help prevent attacks:

 .NET programmers should set the session timeout in the authentication ticket (cookie) to make the user re-login whenever the session expires due to a lack of activity. Session timeout values must be approved by the Team Leadership Committee prior to deployment, and this value can only be modified with a change order approved by the leadership committee and the requesting stakeholder.

 

Each .NET programmer should make only very limited use of session variables, and these would only be used for data that is not sensitive or dangerous to the security of the application or database. When the web form is unloaded, all session variables should be set to null for .NET Framework garbage collection cleanup.

 

If a session variable is used on a page to stored data, then that session variable should be set to null when leaving that page. All session variable used in an ASP.NET application should be check for null during the Global.asax file session end event, and if it is not null, then it should be set to null at the end of a user session.

 

///--------------------------------------------------------------------------

/// <summary>

/// Method Name: Session_Start

/// Description: Triggers when the session begins to initialize variables

/// </summary>

///

/// <param name="sender">object</param>

/// <param name="e">event argument</param>

///----------------------------------------------------------------------

protected void Session_Start(object sender, EventArgs e)

{

    Session["ID"] = 0;

    Session["Header"] = string.Empty;

    Session["BreadCrumb"] = string.Empty;

    Session["UserID"] = string.Empty;

}

 

At the end of the session, the variables will be set to null:

 

///--------------------------------------------------------------------------

/// <summary>

/// Method Name: Session_End

/// Description: Triggers when the session ends to set variables to null

/// </summary>

///

/// <param name="sender">object</param>

/// <param name="e">event argument</param>

///--------------------------------------------------------------------------

protected void Session_End(object sender, EventArgs e)

{

    Session["ID"] = null;

    Session["Header"] = null;

    Session["BreadCrumb"] = null;

    Session["UserID"] = null;

}

 

For medium to large scale ASP.NET applications, session state could be persisted and managed in a SQL Server database per the instructions at:

 

http://support.microsoft.com/kb/311209