Click here to Skip to main content
11,411,494 members (66,710 online)
Click here to Skip to main content
Technical Blog

Tagged as

Session Fixation Overview

, 5 Jan 2012 CPOL
Rate this:
Please Sign up or sign in to vote.
All of the other methods of session hijacking (http://cleverlogic.net/content/session-hijacking) focus on stealing or predicting a session identifier already created, and using it. Session fixation, on the other hand is where the attacker sets the user’

All of the other methods of session hijacking (http://cleverlogic.net/content/session-hijacking) focus on stealing or predicting a session identifier already created, and using it. Session fixation, on the other hand is where the attacker sets the user’s session identifier before that user logs into a site. In this case, the attacker would know the user’s Session identifier and can easily make use of this identifier (ACROS, 2007). Session identifiers can be fixed by the use of:

  • URL’s
    • This is where the attacker put the session identifier in a URL that the client clicks on (example: www.joshuakissoon.com?PHPSESSID=1234); this would set that user’s session identifier to 1234, after setting the user’s session identifier the attacker can easily exploit that user’s session (ACROS, 2007).
  • Hidden form fields
    • The attacker tricks the user into logging in to the target web server through a look-alike login form that in reality comes from another web server (probably the attacker’s server). During the login, the attacker can easily capture or set that user’s session information.
  • Cookies.
    • The attacker sets the user’s cookie information using some script. (example: document.cookie=”PHPSESSID=1233”) (ACROS, 2007)

Since this attack is carried out by the attacker using some method to set the user’s cookie, there are several settings that can be used to reduce/prevent this attack:

  • Setting “session.use_only_cookies” to true on your web-server. This would disable setting session identifiers using values passed in the URL.
  • Users should check hyperlinks before clicking on them, when a user hovers over a hyperlink; browsers display the URL that the hyperlink is pointing to at the bottom of the browser (Snyder, Southwell, & Myer, Pro PHP Security, 2010).

Related Content 

References 

  • ACROS. (2007). Session Fixation vulnerability in Web-Based Applications. ACROS.
  • Snyder, C., Southwell, M., & Myer, T. (2010). Pro PHP Security. Apress.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

JoshuaKissoon
Student Codestorm Guyana
Guyana Guyana
Currently pursuing my M.Tech in Information Security at NIT Warangal, India.
Follow on   Google+

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.150414.5 | Last Updated 5 Jan 2012
Article Copyright 2012 by JoshuaKissoon
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid