In a recent security scan using IBM AppScan in one of our ASP.NET applications, the following medium vulnerability is reported
Session Identifier Not Updated
Severity: Medium
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: Insecure web application programming or configuration.
I found different threads talk about the same and found suggested solutions as well. But in that KB article Microsoft explains how reuse of session IDs could be useful and the same article doesn't mention any risks about the reuse of session IDs. Also in Session Identifiers | MSDN no risks mentioned other than SessionID values are sent in clear text whether as a cookie or as part of the URL.
So my question here is that risk is a real vulnerability / possible session fixation attack or it is just false positive risk?
Using cookies always brings some level of vulnerability, if the transport medium is not secured.
This means that you could elaborate on what happens when someone eavesdrops session cookies or forms authentication cookies or any other cookies but having your communication over secured wire (SSL) removes all such threats.
I can't think of a reason why it would be ASP.NET specific and session cookie specific. Also, I don't quite understand what they meant here
First, the "or". To manipulate the session you have to steal it first. Then, the "and". You can't manipulate cookies, you can only steal them.
This should rather be then
In a response to such warning, you should make sure that: