All of the other methods of session hijacking (http://cleverlogic.net/content/session-hijacking) focus on stealing or predicting a session identifier already created, and using it. Session fixation, on the other hand is where the attacker sets the user’s session identifier before that user logs into a site. In this case, the attacker would know the user’s Session identifier and can easily make use of this identifier (ACROS, 2007). Session identifiers can be fixed by the use of:
- This is where the attacker put the session identifier in a URL that the client clicks on (example: www.joshuakissoon.com?PHPSESSID=1234); this would set that user’s session identifier to 1234, after setting the user’s session identifier the attacker can easily exploit that user’s session (ACROS, 2007).
- Hidden form fields
- The attacker tricks the user into logging in to the target web server through a look-alike login form that in reality comes from another web server (probably the attacker’s server). During the login, the attacker can easily capture or set that user’s session information.
- The attacker sets the user’s cookie information using some script. (example: document.cookie=”PHPSESSID=1233”) (ACROS, 2007)
Since this attack is carried out by the attacker using some method to set the user’s cookie, there are several settings that can be used to reduce/prevent this attack:
- Setting “session.use_only_cookies” to true on your web-server. This would disable setting session identifiers using values passed in the URL.
- Users should check hyperlinks before clicking on them, when a user hovers over a hyperlink; browsers display the URL that the hyperlink is pointing to at the bottom of the browser (Snyder, Southwell, & Myer, Pro PHP Security, 2010).
- ACROS. (2007). Session Fixation vulnerability in Web-Based Applications. ACROS.
- Snyder, C., Southwell, M., & Myer, T. (2010). Pro PHP Security. Apress.