10 lines
587 B
Plaintext
10 lines
587 B
Plaintext
=== on 19 Jan 2021, 10:51:22 Costin Zaharia wrote:
|
|
As far as I can tell this rule does not apply to *ASP.Net* and *ASP.Net Core* where the session id cannot be changed. According to https://owasp.org/www-community/controls/Session_Fixation_Protection[OWASP]:
|
|
|
|
____
|
|
Unfortunately, some platforms, notably Microsoft ASP, do not generate new values for sessionid cookies, but rather just associate the existing value with a new session. This guarantees that almost all ASP apps will be vulnerable to session fixation, unless they have taken specific measures to protect against it.
|
|
|
|
____
|
|
|
|
|