In this lab you will assign a shorter time period to session expiry in the roleManager and SessionState elements of Web.config to protect session values from being stolen by attackers.
Objective
The objective of this lab is to provide students guidance on how to choose and implement time for session expiry in the roleManager and SessionState elements in theWeb.config file.
Scenario
If the time period of a session is set to be short, an attacker will have less time to steal the session's valuable information.
Secure Session and State Management
Secure Programming Exercises / Secure Session and State Management contains the following Exercises:
- Setting a Limited Time Period for Expiry
- Avoid Using Cookieless Sessions
- Avoid Using UseUri Cookieless Sessions
- Avoid Specifying Cookie Modes to AutoDetect
- Securing the ASP.NET Application from Session Fixation Attacks
- Preventing Session Cookies from Client-Side Scripts Attacks
- Avoid Setting the Expire Attribute to Ensure Cookie Security
- Ensuring Cookie Security Using the Secure Attribute
- Securing ViewState with Hashing
- Securing ViewState with Encryption
The Virtual Private Cloud for this Lab set utilizes:
Secure Programming Exercises are available as part of the following subscription:
Each subscription provides 6 months access to 68 Different Exercises. Each exercise contains a Scenario, Objectives, and individual step by step tasks to guide the user through all steps necessary to complete the exercise. The Secure Programming Exercises are designed to give the user an ultimate hands-on experience. Each exercise category above has it’s own Virtual Private Cloud that comes preconfigured with Vulnerable websites, Victim Machines, and the environment is LOADED with tools. Included in your network share are all the supporting tools required to practice in the Cyber Range / Lab environment.
Lab exercises are included for:
- Input Validation and Output Encoding
- .NET Authentication and Authorization
- Secure Session and State Management
- .NET Cryptography
- .NET Error Handling, Auditing, and Logging
- .NET Secure File Handling
- .NET Configuration Management and Secure Code Review