Classic ASP: ASPSessionID is reused

Question

I know how to handle this in ASP.NET, but is there a way to force the Classic ASP Session ID to be cleared? It is a randomly generated ID like ASPSESSIONIDG32423E that does not seem to be available in RESPONSE.COOKIES collection thus I can not clear it. We have a class ASP site still hanging around and recently it was an audit finding that after the user logs out the same session ID is reused.

MORE CLARIFICATION:

First visit to page, I see this in the proxy editor in Response:

Set-Cookie: ASPSESSIONID=PUYQGHUMEAAJPUYL; path=/Webapp

After a logout, I call Session.RemoveAll and Session.Abandon and then redirect user to login page. At which point I should see a new Set-Cookie with a different value for SessionID. Instead, I do not get a new cookie and the new login session reuses the original session cookie. This is an audit finding that we have to resolve in some way but there does not seem to be a way to control this.

Answer 1

So I did come up with a solution for this as follows. I added two pages called Start.asp and Start2.asp. The original login page was changed to check for a post variable which is now set on Start2.asp, so if login.asp does not see that post variable, it redirects to Start.asp. Start.asp invalidates the ASPSessionID by setting it to 0. The key is using Response.AddHeader "Set-Cookie" in order to do this since Response.Cookies("ASPSESSIONID...") gives an error that you can't access the element:

Code for Start.ASP

<%
If instr(Request.ServerVariables("HTTP_COOKIE"), "ASPSESSIONID") > 0 Then

    Dim Allcookies

    AllCookies = Split(Request.ServerVariables("HTTP_COOKIE"),";")
    For i = 1 to UBound(AllCookies)

        If instr(AllCookies(i), "ASPSESSIONID") > 0 Then
            Response.AddHeader "Set-Cookie", Left(AllCookies(i),instr(AllCookies(i),"=") -1) & "=0; path=/;secure;httponly"
        End if

    Next 
End if

Response.Redirect("start2.asp")
%>

Next, it calls Start2.asp which looks for all ASPSEssionID cookies and appends Secure; httponly (I had to add these for another finding, ASP metabase setting to add secure only works if the SSL cert. is on the web server. In our case the SSL cert is on a load balancer in front of the web server).

Code for Start2.asp

<%
    'CODE for authorization/authentication
   '...

Session.Contents.RemoveAll
Session.Abandon
If instr(Request.ServerVariables("HTTP_COOKIE"), "ASPSESSIONID") > 0 Then
       Dim Allcookies

        AllCookies = Split(Request.ServerVariables("HTTP_COOKIE"),";")

        For i = 1 to UBound(AllCookies)

            if left(Request.ServerVariables("HTTP_HOST"),2) = "65" and instr(AllCookies(i), "ASPSESSIONID") > 0 Then
                Response.AddHeader "Set-Cookie", AllCookies(i) & "; path=/;secure;httponly"
            End if        

        Next 

End if

%>

<html>
<body>
<form action="login.asp" method="post">
<input type="hidden" name="start2" id="start2" value="Yes" />

</form>

<script type="text/javascript">
     document.forms[0].submit();
</script>
</body>
</html>

Really, though, the new ASPSessionID is not generated until within Start2.asp so that Set-Cookie code for secure and httponly has to also be done in login.asp. So the same code above was copied to the top of login.asp just after this code:

If request.form("Start2") = "" Then
    Response.Redirect("start.asp")
End if

Answer 2

IMO - you need to end the session rather than just clear out the session ID. In this case, Session.Abandon is the solution. Ref.: https://devguru.com/content/technologies/asp/session-abandon.html

HTH.

Answer 3

This relates to ASP.NET but describes the behaviour you are seeing in ASP

When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance.

http://support.microsoft.com/?kbid=899918

This behaviour will only occur if using the same browser for the same session, as soon as the browser is closed the session cookie will be lost (providing an explicit expiry date has not been set).

You could try calling Session.Abandon then redirect the user to a page which uses JavaScript to clear all cookies, then redirect to the login page, or whatever page you like.

Clearing all cookies with JavaScript