ASP.NET session security

Session security is one of the corner stones of web application security. The NWebsec.SessionSecurity library introduces authenticated session identifiers to improve the security for ASP.NET sessions, preventing e.g. session fixation attacks.

To learn more about the issues in how ASP.NET handles sessions and how NWebsec.SessionSecurity helps improve security, check out the blog post Ramping up ASP.NET session security. The post describes issues related to how browsers handle cookies. To see it for yourself, put your browser to the cookie test.

To learn more about the library, see the docs at the project site.

To see the authenticated session identifiers in action on this site, go to authenticated session identifiers for a demo.

For a short summary on session fixation and to try out the attack refer to session fixation.