Thursday, 4 October 2012

Session Fixation

Session Fixation

In this an attacker explicitly sets the session identifier of a session for a user. Typically in PHP it's done by giving them a url like http://www.mysite.com/index.php?session_name=session_id. Once the attacker gives the url to the client, the attack is the same as a session hijacking attack.
Default session_name is PHPSESSID
session_id is a unique string  and it is in the range a-z A-Z 0-9 , (comma) and - (minus)!

The most crucial piece of information for an attacker is the session identifier, because this is required for any impersonation attack. There are three common methods used to obtain a valid session identifier:

  1.     Prediction: Guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point.
  2.     Capture: Capturing a valid session identifier is the most common type of session attack, and there are numerous approaches for capturing session_id,  because session identifiers are typically propagated in cookies or as GET variables.
  3.     Fixation:  Fixation is the simplest method of obtaining a valid session identifier by using session_id() after session_start()


What to do
By default session_name is PHPSESSID, so this session name either from php.ini file OR  with use of php function session_name. For example session_name('new_session_name')
Set session.use_trans_sid = 0 in your php.ini file. This will tell PHP not to include the identifier in the URL, and not to read the URL for identifiers.
Set session.use_only_cookies = 1 in your php.ini file. This will tell PHP to never use URLs with session identifiers.
Regenerate the session ID anytime the session's status changes. That means any of the following:
User authentication
  • Storing sensitive info in the session
  • Changing anything about the session