Consider a common example of privilege change: Amazon.
If you have ever used Amazon, your browser has a persistent cookie that tells Amazon who you are, even if you haven't signed on. When you open up the browser and navigate to Amazon, it'll show your name on the top right and you'll have the ability to add items to your cart. You might call this level 1 authentication.
The level 1 authentication cookie has a very long lifespan (it may be infinite) and is persistent, meaning that anyone with access to your cookie store could steal it.
Now, let's say you've added some items to your cart and you wish to complete a purchase. At this point, Amazon will require you to enter your password. Once you have done so, you have additional privileges. You might call this level 2 authentication.
The level 2 authentication cookie is a lot harder to steal. It is an http-only session cookie and goes away when you close your browser. And it only works for about 30 minutes, I believe.
Note: It is impossible for the server to tell if a cookie is http-only or if it is a session cookie, because a browser only presents the cookie value itself, not its attributes. So from the web server's perspective, everything depends on the cookie value itself.
Now imagine if Amazon didn't bother to switch the session ID when you sign on. Instead, it keeps the same session ID, but stores a session variable indicating the elevated privilege. Here is a plausible attack:
- Hacker steals your persistent cookie, which will only give him level 1 privileges. No biggie, right?
- Your browser has an exact copy of this cookie.
- At some point, you browse to Amazon, decide to complete a purchase, and sign on.
- The cookie now has level 2 privileges.
- Hacker has been hitting the Amazon server with this cookie occasionally to see if you have signed on. Once he sees that you have elevated to level 2, he can do anything you can, including send himself an item or changing your password.
If the session identifier changed in step 3, this attack would be thwarted.