Best practices for session state and cookies in ASP.NET application

Session state best practices:

• Reconfigure the default session id name in order to obfuscate the true meaning of the cookie value. In the case of ASP.NET, the default name is ASP.NET_SessionId. This immediately gives away that the application is ASP.NET and that that cookie contains the session id value.
• Ensure the length of the session id is long enough to prevent brute force attacks. Recommended length is 128 bits.
• Ensure the session id is created in a truly random way. This ensures that attackers can’t guess the session id due to some predictability analysis.
• Ensure that the session id does not contain any additional sensitive data. Instead, the value should be nothing more than a random string of characters with no meaning other than the session id as a whole.
• HTTPS should be employed for all session based applications handling sensitive data.
• Session cookies should be created with the Secure and HttpOnly attributes set.
• Prevent concurrent sessions where possible.
• Destroy sessions upon timeout, logoff, browser close or log-in from a separate location.

Cookie best practices:

• Do not store any critical information in cookies. For example, do not store a user’s password in a cookie, even temporarily. As a rule, do not keep anything in a cookie that, if spoofed, can compromise your application. Instead, keep a reference in the cookie to a location on the server where the information is.
• Set expiration dates on cookies to the shortest practical time you can. Avoid permanent cookies if possible.
• Consider encrypting information in cookies.
• Consider setting the Secure and HttpOnly properties on the cookie to true.

.
Code examples

In order to implement best practices for cookies, add the code lines below into your application.

Web.config file:

<system.web>
   <sessionState regenerateExpiredSessionId="false" cookieless="UseCookies" cookieName="id" />
</system.web>

Code-behind file:

Response.Cookies.Add(new HttpCookie("id", ""));
Response.Cookies["id"].HttpOnly = true;
Response.Cookies["id"].Secure = Convert.ToBoolean(ConfigurationManager.AppSettings["SecureCookie"]);

References:

• Session Management Cheat Sheet
• ASP.NET Cookies Overview
• Use Cookies Securely