My client is stating that when they run HP Web inspect against their new DNN portal they are identifying a "Session Fixation" security flaw in DNN.

Has anyone else run into this?

How did you resolve it?

From what I can see from the documentation online to avoid this on login you need to explicitly issue a new ASP.NET_SessionId and on logout you need to explicitly null and\or expire it.

Excerpt from the error description I received

"Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID (SID). This attack can occur
when a web application:
· Fails to supply a new, unique SID to a user following a successful authentication
· Allows a user to provide the SID to be used after authenticating"

The reason this error is reported by a number of different test and site check systems - is that DNN does not null out the sessionid on logout.

I seem to recall some time back that there was a JIRA request for this to be added to the core - but that it was closed with no action.  With the reason being that because of how DNN works there is NO attack risk since dnn does not use the session id for its authentication.

Now while this may be true - it still have implications for some shopping cart type systems that do seem to use the sessionid  -  as such - while it seems like sure it may not - Ive always thought that it should still be happening since it IS considered web best practice to clear sessionid when logging out.

It is however a very simple thing to change if it really bothers you - Basically it involves adding two lines of code to the /DesktopModules/Admin/Authentication/logoff.aspx.cs file - The suggested code is something like the following

private void DoLogoff()
{
try
{

//Remove user from cache

if (User != null)
{
DataCache.ClearUserCache(PortalSettings.PortalId, Context.User.Identity.Name); }

Session.Clear();             ///  add these two lines
Session.Abandon();      ///  add these two lines

var objPortalSecurity = new PortalSecurity();

objPortalSecurity.SignOut();

}

catch (Exception exc) //Page failed to load

{

Exceptions.ProcessPageLoadException(exc);

}

}

Sorry if I came off as trite, but trust me I know of your pain regarding automated scanners (this month I've received numerous reports, many numbering in the hundreds of pages, one arriving in more than 1200 pages long). These are composed almost entirely of "false-positives", or even worse of warnings about using particular code. One vendor even detects if you are using .net file API's and add's a warning that these may be dangerous - no evidence, no identifying suspect code, just a generic warning that code that does file access may be unsafe - this to my mind is simply padding out reports for their (often overpriced) tools, and all it does is scare people who run them who insist these warnings disappear.

We often "fix" false positives simply to remove them from automated scanner reports, as it's simpler to fix something that is a false-positive rather than have to provide an explanation every time we receive a report about it. However there are cases where we cannot make changes so we simply have to live with the invalid reports and when requested we provide a quick response to confirm that something is a false-positive - this is all I was doing in your case.