-5

I have read that both of them are conventionally the same. But there must be a few differences which differentiates the two terms. Anyone please explain.

Anandu M Das
  • 1,981
  • 14
  • 31
  • 46
  • 7
    Do you have a reference that shows "session recreation" in context? I've never seen that term used – paj28 Sep 17 '14 at 09:42
  • Perhaps Anandu means Session Replay instead of recreation? –  Sep 19 '14 at 20:37
  • 1
    @Ian may be i am mistaken. But what is Session Replay then? – Anandu M Das Sep 22 '14 at 06:26
  • 1
    I've never heard of Session Replay either. Where did you hear these terms Anandu? – paj28 Sep 23 '14 at 11:38
  • I heard the term from one of my colleague, but he also had no idea what actually meant by that. – Anandu M Das Sep 23 '14 at 11:48
  • 1
    Complete guess but maybe he meant "[Replay Attack](http://en.wikipedia.org/wiki/Replay_attack)"? If you find out, you should edit your question for some good answers. – SilverlightFox Sep 23 '14 at 11:59
  • This question doesn't appear to be answerable, since there is no clear definition of the term "session recreation"; the question does not offer a definition or example, and the term is not in widely used in security. (A [Google search for `"session recreation"`](https://encrypted.google.com/#q=%22session%20recreation%22) turns up this exact question as the fifth result, under four results about recreational events.) Perhaps you could give an except of the text where you've "*read that both of them are conventionally the same*"? – apsillers Sep 23 '14 at 12:45
  • SilverlightFox, ParaP2 & Sebastian B have it. Session replay is basically re-using a stolen session token to masquerade as another user; this is subtly different from forcing someone to use (or using for yourself) a predicted session token. I guess I may have confused things by using a term that I and my colleagues understand to be this activity - and was the closest thing that I could think of to 'session recreation', never having heard of that latter term. In any case, check out OWASP info on session mgt: https://www.owasp.org/index.php/Testing_for_Session_Management –  Sep 24 '14 at 13:38

5 Answers5

0

I think session recreation or session replay means recreating the user's activity for a given session. Typically as a form of troubleshooting and/or analysis. Something bad happened with user __. Based on logged activity they did _ things before they encountered the issue. I could then attempt to reproduce the situation that lead up to that issue, encounter it, and fix it.

Session fixation refers to forcing or tricking a victim into using a given session from an attacker. The attacker would then know the session (and they could steal it) the victim is using because the attacker gave it to them.

Paraplastic2
  • 460
  • 2
  • 7
0

Like Paraplastic2 alread stated:

With session fixiation you create a malicious session (one you control) first and try to get a use to use this "prepared / fixiated" session, so you can Access the session Information (data you want to manipulate or steal).

The term session "recreation" does not seem to be that commonly used as you cannot find that much hits on Google for example.

The most logically counterpart seems to be session replay as described in: https://capec.mitre.org/data/definitions/60.html

So the difference to fixiation would be that you do not provide the malicious session identifier to the user but instead somehow get your Hand on the existing session that the user initiated himself (for example by xss cookie stealing).

Without more context to the term "session recreation" it is hard to validate if this is what you mean.

Sebastian B.
  • 571
  • 3
  • 7
  • If thats what you mean you can look here: http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking – Sebastian B. Sep 24 '14 at 08:14
0

In the context of security in session management the recreation of the session is recommended after login or any privilege changes.

According also to the OWASP session management cheat sheet:

""" The session ID regeneration is mandatory to prevent session fixation attacks [3], where an attacker sets the session ID on the victims user web browser instead of gathering the victims session ID, as in most of the other session-based attacks, and independently of using HTTP or HTTPS. This protection mitigates the impact of other web-based vulnerabilities that can also be used to launch session fixation attacks, such as HTTP response splitting or XSS [4]. """

Source: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

DavidC
  • 51
  • 3
0

Perhaps the best thing is to read up on OWASP, refine your definition of 'session recreation' based on what you read there, and decide what the difference is yourself. Without wishing to sound flippant, you've got a few of us here discussing what you mean by that, so instead of a lot of back and forth, that may be the way forward. I linked the session management page above - https://www.owasp.org/index.php/Testing_for_Session_Management - and Paraplastic2 had another handy link from OWASP.

Best of luck!

0

Finally I have found the answer. If we are able to steal someone's(Say user John) cookies and gain access to their sessions, we are able to do this only if the user (John) is logged in to his account from somewhere else. It is actually called session fixation. But once if he has logged out, the value of cookie for that session gets expired and the attacker also losses access to John's account.

Now coming to the case of Session Recreation, the attacker is able to hijack John's session even if he has logged out from his account. If someone knows this concept with any other name please feel free to share it here. Posting this as the accepted answer here.

Anandu M Das
  • 1,981
  • 14
  • 31
  • 46
  • So basically what everyone has already said. As for requesting another name for the concept, again, I think you've got a few options, as well as multiple links to OWASP. –  Oct 03 '14 at 22:36