Kentico CMS 7.0 Developer's Guide

Session management

Session management

Previous topic Next topic Mail us feedback on this topic!  

Session management

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

This topic provides a brief overview of how Kentico CMS handles sessions and a provides advice on how to mitigate session-based security threats.

 

When a public user requests a page for the first time, the system creates a session for her. The session stores information about the user, such as the current culture, or the contents of the user's shopping cart.

 

When the user logs in to the system, the system maintains her session so that the user can keep her session data. However, this can pose a threat, since an attacker could create a session and then trick a user into using the session. The user will then share the same session with the attacker. This way the attacker can acquire sensitive information from the session.

 

To prevent session based attacks, you can insert the following settings key into the appSettings section of your web.config file:

 

<add key="CMSRenewSessionAuthChange" value="true" />

 

The key will cause the system to renew the session (abandon the old one and create a new one) every time a user logs in or out.

 

 

InfoBox_Exclamation

 

Important!

 

If you enable this setting, users will not be able to preserve their session data after logging in or out.