IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [session-fixation]

A vulnerability through which an attacker can hijack a user's session by fixing the session ID value of the user. If in an application, session ID value remains same pre and post login, then the application is vulnerable to session fixation.

68 questions
41
votes
2 answers

Can advertisements read cookies of the website it is on?

I know many ads can store third-party cookies, but what about reading cookies? If so, what stops them from reading the session id to perform session hijacking?
user3500869
  • 483
  • 4
  • 6
32
votes
6 answers

Can't a user change his session information to impersonate others?

Can't an attacker just change his/her session (or cookie because it's stored locally) information then fool the server that he's the legitimate user? Say for example, if a website uses the database id as an identifier, the attacker logs in to his…
mzcoxfde
  • 585
  • 2
  • 5
  • 12
29
votes
5 answers

Protecting against cross-subdomain cookie attacks

I have been reading about cross-subdomain cookie attacks here. A quick overview of how it works (from Wikipedia): A web site www.example.com hands out subdomains to untrusted third parties One such party, Mallory, who now controls evil.example.com,…
F21
  • 501
  • 1
  • 4
  • 10
18
votes
2 answers

Session Cookie Stealing Protection

I am looking at how to secure a web site against getting its session cookie stolen. These are the controls that I know are widely known/used: HTTPS Everywhere Only use a securely created random string for the cookie value Mark the session cookie…
chotchki
  • 487
  • 2
  • 5
  • 11
11
votes
1 answer

Understanding Session Fixation Vulnerability

What I've Read I'm read the following resources on session fixation, but I'm still having difficulty understanding some aspects of this kind of vulnerability: Ruby on Rails Security Guide § 2.7 Session Fixation. Preventive Measure for detecting…
40XUserNotFound
  • 219
  • 2
  • 9
11
votes
4 answers

Do you need to encrypt session data?

I came across a session management class in PHP which encrypts session data in the session storage folder (i.e., /tmp) and can be decrypted later in your script using a key. I was wondering if it's really needed? If you already doing some session…
IMB
  • 2,888
  • 6
  • 28
  • 42
9
votes
2 answers

Best way to securely set a session cookie on another domain

We currently have 2 sites http://www.foo.co.uk and https://secure.foo.com. The www site does not have an SSL certificate and is on a different domain. We have a login button on http://www.foo.co.uk that when clicked opens up an iframe of…
fire
  • 195
  • 1
  • 1
  • 4
9
votes
1 answer

Changing session id after login

My web application is only accessible for authenticated users. Before login the user can only see the main page with a button to log in. The application assign a session ID on the main page, the authentication is handled by other application. After…
user187205
  • 1,163
  • 3
  • 15
  • 24
9
votes
1 answer

Will session_regenerate_id() without true parameter improves security? Should I use it right before login?

I want to decrease session fixation attack vulnerability, hence I used session_regenerate_id() before login. Somehow I'm in dark now and not sure the right answer for questions below: When we don't set the function parameter to TRUE then old…
Alireza
  • 1,280
  • 1
  • 20
  • 26
7
votes
1 answer

Session fixation in Java

In the process of developing a vulnerable jsp/servlet based application I made an attempt to introduce the session fixation vulnerability. Referring to the documentation I came up with the following code which when used in the servlet to create a…
Shurmajee
  • 7,285
  • 5
  • 27
  • 59
7
votes
2 answers

Are my session settings secure enough?

I'm developing a file hosting and sharing web application. Are the following PHP session settings secure enough? ini_set('session.cookie_httponly', 1); ini_set('session.cookie_lifetime', 0); ini_set('session.entropy_file',…
Kid Diamond
  • 377
  • 3
  • 13
6
votes
4 answers

prevent session hijacking in PHP

I wrote the log In/log Out scripts of my web page and when the user logs in I store in the $_SESSION variable the user agent. Now each time a page is loaded I check if the user is logged in or not and if it is logged in I check if the user agent has…
user3535688
  • 333
  • 1
  • 3
  • 7
5
votes
1 answer

How to prevent MITM session fixation attack over plain HTTP upon first request?

Websites has various methods implemented to tell browser to always use HTTPS - HSTS header, server redirec to HTTPS, CSP policy. However, the first time a user visits the site it can be over palin HTTP. Only after then browser knows that the site…
Muhammad Umer
  • 715
  • 7
  • 10
5
votes
1 answer

Session renewal how often is necessary?

I am looking at the session management again of a site and currently it renews the client session id on every page refresh. The idea being that if it is stolen directly from the browser there is less chance of the session being hijacked. This though…
Kline
  • 51
  • 2
5
votes
3 answers

Session fixation attack

Given the following conditions, Session ID does not change upon login Session ID travels in form of HTTP cookie There is no cross site scripting/redirection vulnerability on the login page is it still possible to perform a session fixation…
wxyzwebz
  • 51
  • 3
1
2 3 4 5