Session Hijacking Protection in ASP.NET

Question

I\'d like to find out what session ID hijacking protection is built into the current version of ASP.NET.

I recently saw this very informative article that explains h

Answer 1

Check out this snippet from the Session Overview documentation:

System.Web.SessionState.HttpSessionState.SessionID values are sent in clear text, whether as a cookie or as part of the URL. A malicious user could get access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID value.

http://msdn.microsoft.com/en-us/library/ms178581.aspx

It seems to me that this means that there is no security baked into Session, so you probably shouldn't use Session as a security measure. Instead, I would recommend relying on ASP.NET security (authentication, authorization).

Here is an article from the Patterns & Practices group on general security recommendations for ASP.NET.

http://msdn.microsoft.com/en-us/library/ff649100.aspx