Session Fixation on Azure
How Session Fixation Manifests in Azure
Session fixation attacks in Azure environments exploit how authentication sessions are managed across different Azure services. Unlike traditional web applications, Azure's distributed architecture introduces unique attack vectors that developers must understand.
In Azure App Service, session fixation often occurs when developers rely on default session management without understanding the underlying mechanisms. Azure uses in-memory session storage by default, which means session IDs are generated but not properly invalidated during authentication state changes.
// Vulnerable pattern in Azure App Service
public class AuthenticationController : Controller
{
public IActionResult Login(string returnUrl)
{
// Creates session before authentication
var sessionId = HttpContext.Session.Id;
return View();
}
[HttpPost]
public async Task Login(LoginModel model)
{
// Authentication succeeds but uses existing session
var user = await _authService.ValidateCredentials(model);
if (user != null)
{
// BUG: Session ID remains the same!
HttpContext.Session.SetString("UserId", user.Id);
return Redirect(model.ReturnUrl);
}
return View();
}
} This pattern is particularly dangerous in Azure because session data persists across application restarts and can be shared across instances in a scale-out deployment. An attacker who obtains a session ID before authentication can hijack the session after the victim logs in.
Azure Functions presents another attack surface. When using Azure Functions with HTTP triggers, developers often overlook that function instances can be reused across different requests, potentially allowing session fixation if session state isn't properly managed.
// Vulnerable Azure Function pattern
public static class AuthFunction
{
[FunctionName("Login")]
public static async Task Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "login")] HttpRequest req,
ILogger log)
{
var sessionId = req.Cookies["ASP.NET_SessionId"];
// No session regeneration after authentication
var user = await ValidateUser(req);
if (user != null)
{
await AddToSession(req, user); // Uses existing session
return new OkResult();
}
return new BadRequestResult();
}
} Azure Active Directory B2C (Azure AD B2C) introduces additional complexity. When integrating custom policies with Azure AD B2C, session fixation can occur if the relying party application doesn't properly handle the authentication context.
// Vulnerable Azure AD B2C integration
public class B2CAuthService
{
public async Task Authenticate(string policy, string returnUrl)
{
var redirectUrl = $"https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/oauth2/v2.0/authorize?...";
// BUG: No session isolation between policies
var existingSession = HttpContext.Session.GetString("Policy");
if (existingSession != policy)
{
// Should invalidate session here
}
return await ProcessAuthResponse();
}
} Azure Kubernetes Service (AKS) deployments compound these issues when using Azure's managed identity patterns. Session fixation can persist across pod restarts if session storage isn't properly configured with external providers like Azure Cache for Redis.
Azure-Specific Detection
Detecting session fixation in Azure requires understanding both the platform's session management and the specific attack patterns that emerge in distributed environments.
middleBrick's Azure-specific scanning identifies session fixation through several mechanisms. The scanner examines HTTP response headers for session-related cookies that persist across authentication boundaries. It also analyzes the authentication flow to detect missing session invalidation points.
# Using middleBrick CLI to scan Azure endpoints
middlebrick scan https://yourapp.azurewebsites.net/login \
--output json | jq '.findings[] | select(.category == "Authentication")'
The scanner specifically looks for these Azure patterns:
- ASP.NET_SessionId cookies present before and after authentication
- Missing session regeneration in Azure Functions HTTP triggers
- Azure AD B2C policy session isolation failures
- Azure Cache for Redis session storage misconfigurations
For Azure App Service, middleBrick analyzes the session management implementation by examining the authentication middleware configuration:
// middleBrick detection pattern
public class SessionFixationDetector
{
public DetectionResult Analyze(HttpContext context)
{
var cookies = context.Request.Cookies;
var hasPreAuthSession = cookies.ContainsKey("ASP.NET_SessionId");
// Check if session exists before authentication
if (hasPreAuthSession && !IsAuthenticated(context))
{
return new DetectionResult {
Severity = Severity.High,
Finding = "Pre-authentication session detected",
Recommendation = "Invalidate session before authentication"
};
}
return DetectionResult.None;
}
}Azure Functions runtime behavior creates unique detection challenges. middleBrick's scanner instruments the function execution context to track session state across cold starts and warm instance reuse:
// Azure Functions session tracking
public static class FunctionSessionTracker
{
[Deterministic]
public static bool HasSessionFixationRisk(HttpRequestData request)
{
var sessionId = GetSessionId(request);
var isAuthEndpoint = request.Url.Contains("/login");
var hasExistingSession = sessionId != null;
// Risk if login endpoint accepts existing session
return isAuthEndpoint && hasExistingSession;
}
}For Azure AD B2C integrations, middleBrick analyzes the custom policy XML files and the relying party application code to detect session isolation issues between different authentication policies.
Azure-Specific Remediation
Remediating session fixation in Azure requires platform-specific approaches that leverage Azure's native security features and session management capabilities.
For Azure App Service, the most effective remediation is implementing proper session regeneration during authentication. Azure provides built-in middleware that handles this correctly when configured properly.
// Secure Azure App Service pattern
public class SecureAuthenticationController : Controller
{
public IActionResult Login(string returnUrl)
{
// No session created before authentication
return View();
}
[HttpPost]
public async Task Login(LoginModel model)
{
// Authenticate first, then create session
var user = await _authService.ValidateCredentials(model);
if (user != null)
{
// Regenerate session ID after authentication
HttpContext.Session.Clear();
var newSessionId = HttpContext.Session.Id;
HttpContext.Session.SetString("UserId", user.Id);
HttpContext.Session.SetString("Authenticated", "true");
return Redirect(model.ReturnUrl);
}
return View();
}
} Azure Functions require a different approach since they don't have built-in session management. The recommended pattern is using Azure Functions' stateless design with distributed session storage like Azure Cache for Redis.
// Secure Azure Functions pattern
public static class SecureAuthFunction
{
private static readonly ConnectionMultiplexer _redis =
ConnectionMultiplexer.Connect("your-redis-connection-string");
[FunctionName("Login")]
public static async Task Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "login")] HttpRequest req,
ILogger log)
{
// Stateless authentication - no session fixation possible
var user = await ValidateUser(req);
if (user != null)
{
// Create new session in Redis with secure configuration
var sessionId = Guid.NewGuid().ToString();
var sessionData = new SessionData {
UserId = user.Id,
AuthenticatedAt = DateTime.UtcNow,
SessionId = sessionId
};
var db = _redis.GetDatabase();
await db.StringSetAsync($"session:{sessionId}",
JsonSerializer.Serialize(sessionData),
TimeSpan.FromHours(1));
var response = new OkObjectResult(new {
token = sessionId,
user = user.Id
});
return response;
}
return new BadRequestObjectResult("Invalid credentials");
}
} For Azure AD B2C implementations, proper session isolation between authentication policies is critical. The remediation involves implementing policy-specific session handling and proper logout procedures.
// Secure Azure AD B2C integration
public class SecureB2CAuthService
{
public async Task Authenticate(string policy, string returnUrl)
{
// Invalidate existing session for different policies
var currentPolicy = HttpContext.Session.GetString("Policy");
if (currentPolicy != null && currentPolicy != policy)
{
await SignOutAsync(); // Azure AD B2C logout
HttpContext.Session.Clear();
}
var redirectUrl = BuildAuthUrl(policy, returnUrl);
return await ProcessAuthResponse();
}
private async Task SignOutAsync()
{
// Azure AD B2C logout to invalidate tokens
var logoutUrl = $"https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/{policy}/oauth2/v2.0/logout";
await HttpContext.SignOutAsync();
}
} In Azure Kubernetes Service deployments, session fixation remediation involves using Azure's managed identity patterns with proper pod identity configuration and avoiding shared session storage across different authentication contexts.