This topic provides a brief overview of how Kentico CMS handles sessions and a provides advice on how to mitigate session-based security threats.

 

When a public user requests a page for the first time, the system creates a session for her. The session stores information about the user, such as the current culture, or the contents of the user's shopping cart.

 

When the user logs in to the system, the system maintains her session so that the user can keep her session data. However, this can pose a threat, since an attacker could create a session and then trick a user into using the session. The user will then share the same session with the attacker. This way the attacker can acquire sensitive information from the session.

 

To prevent session based attacks, you can insert the following settings key into the appSettings section of your web.config file:

 

 

The key will cause the system to renew the session (abandon the old one and create a new one) every time a user logs in or out.