Session Fixation

Session Fixation is a security vulnerability where a user sets the Session Identifier (SID) of a user to a known value, allowing them to access your session. This would allow the malicious user to access the user’s private information.

For Example:

Jason has determined that his neighbor Joe’s bank site http://mybank.com is susceptible to a session fixation attack.  Jason then sends Joe an email with a link to his bank setting the SessionID to a value known to him http://mybank.com?SID=12345.  Joe trusting his neighbor clicks on the link and proceeds to sign-in to his account online. Jason now can use the link he sent Joe to access Joe’s account.

Prevention:

This attack can be avoided by changing the users SID when their permission level changes e.g: login.  What this would mean is that even if Joe click on the link sent by Jason once he logins to his account the site would generate a new SID for him that Jason would not know and he would not be able to get access to Joe’s account.

Psuedo code [PHP]:

public function authenticate() {
    // get user name
    $user_name = $_POST['user_name'];

    // get password
    $password = $_POST['password'];

    //validate the user
    if( validateUser( $user_name, $password ) ) {
        // regenerate the session id
        session_regenerate_id( true );
        return true;
    } else {
        return false;
    }
}
// PHP // Security //

Comments & Questions

Add Your Comment