Query module AbandonSession

name
Failure to abandon session
description
Reusing an existing session as a different user could allow an attacker to access someone else’s account by using their session.
kind
problem
problem.severity
error
precision
high
id
cs/session-reuse
tags
security external/cwe/cwe-384

Imports

Security

Provides classes related to the namespace System.Web.Security.

csharp

The default C# QL library.

Predicates

controlStep

A control flow step that is not sanitised by a call to clear the session.

loginMethod
sessionEndMethod

A method that directly or indirectly clears HttpSessionState.

sessionUse

A use of HttpSessionState, other than to clear it.

Classes

SystemWebSessionStateHttpSessionStateClass

The System.Web.SessionState.HttpSessionState class.