Config Files Disabled Session Id Regeneration

Description

Detects when ASP.NET web applications are configured to not regenerate session IDs for expired sessions through the regenerateExpiredSessionId setting. This misconfiguration enables session fixation attacks where an attacker can force a user to use a known session identifier, potentially hijacking their session.

Weakness:

280 - Session Fixation

Category: Access Subversion

Detection Strategy

• Search for system.web tags in .NET configuration files

• Look for sessionState elements with regenerateExpiredSessionId='false'

• Verify the cookieless attribute is not set to a cookie-based mode

• Report vulnerability when these conditions are met, indicating disabled session ID regeneration

Vulnerable code example

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <!-- UNSAFE: Enables cookieless sessions which expose session IDs in URLs -->
    <sessionState cookieless="UseUri" />
  </system.web>
</configuration>

✅ Secure code example

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <!-- SAFE: Uses secure cookie-based sessions instead of URL-based sessions -->
    <sessionState cookieless="UseCookies" />
  </system.web>
</configuration>

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.