1

From my understanding if i am not wrong in session fixation attacks. The attacker login into the server as a legitimate user and creates a valid session. He then the tricks the compromised user to use his session which has already been fixed. My Question is how to detect session fixation attacks one possible solution I have in my mind

  • Bind session identifier with source IP as this is possible with WAF like Modsecurity

The Problem with this approach it may have high false positive as client may be using a proxy server or client may be assigned a dynamic IP address that may change during session.

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61

1 Answers1

6

That's not how a session fixation attack works. The attacker must first trick the user into visiting the website using a predetermined session. For example, I could trick you into clicking a shortened link http://example.com/index.php?PHPSSIDE=BLAHBLAHBLAH. If you login to example.com now, your session will be identified by BLAHBLAHBLAH. I'd then simply use the same identifier and login to your session. Other methods include an untrusted sub-domain assigning a session cookie for another sub-domain.

If you trust your sub-domains, just configuring your web server not to use session identifiers (eg. PHPSSID) in GET or POST is enough. Pairing the session to an IP address, refreshing the identifier, and session expiry, are all also good extra layers of protection against session hijacking.

When implementing a security feature, always think about the majority of your users. Those 90+% whose IP won't change a gazillion time throughout the session, those who won't have their sessions constantly hijacked. For the other 10%, it's alright to show them a re authentication form (entering the password again) when something specious happens.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • I meant same thing i.e. http://example.com/index.php?PHPSSIDE=BLAHBLAHBLAH is not originated by the client correct me if I am wrong. – Ali Ahmad Jun 16 '13 at 15:44