A vulnerability through which an attacker can hijack a user's session by fixing the session ID value of the user. If in an application, session ID value remains same pre and post login, then the application is vulnerable to session fixation.
Questions tagged [session-fixation]
68 questions
41
votes
2 answers
Can advertisements read cookies of the website it is on?
I know many ads can store third-party cookies, but what about reading cookies? If so, what stops them from reading the session id to perform session hijacking?
user3500869
- 483
- 4
- 6
32
votes
6 answers
Can't a user change his session information to impersonate others?
Can't an attacker just change his/her session (or cookie because it's stored locally) information then fool the server that he's the legitimate user?
Say for example, if a website uses the database id as an identifier, the attacker logs in to his…
mzcoxfde
- 585
- 2
- 5
- 12
29
votes
5 answers
Protecting against cross-subdomain cookie attacks
I have been reading about cross-subdomain cookie attacks here.
A quick overview of how it works (from Wikipedia):
A web site www.example.com hands out subdomains to untrusted third parties
One such party, Mallory, who now controls evil.example.com,…
F21
- 501
- 1
- 4
- 10
18
votes
2 answers
Session Cookie Stealing Protection
I am looking at how to secure a web site against getting its session cookie stolen. These are the controls that I know are widely known/used:
HTTPS Everywhere
Only use a securely created random string for the cookie value
Mark the session cookie…
chotchki
- 487
- 2
- 5
- 11
11
votes
1 answer
Understanding Session Fixation Vulnerability
What I've Read
I'm read the following resources on session fixation, but I'm still having difficulty understanding some aspects of this kind of vulnerability:
Ruby on Rails Security Guide § 2.7 Session Fixation.
Preventive Measure for detecting…
40XUserNotFound
- 219
- 2
- 9
11
votes
4 answers
Do you need to encrypt session data?
I came across a session management class in PHP which encrypts session data in the session storage folder (i.e., /tmp) and can be decrypted later in your script using a key. I was wondering if it's really needed? If you already doing some session…
IMB
- 2,888
- 6
- 28
- 42
9
votes
2 answers
Best way to securely set a session cookie on another domain
We currently have 2 sites http://www.foo.co.uk and https://secure.foo.com.
The www site does not have an SSL certificate and is on a different domain.
We have a login button on http://www.foo.co.uk that when clicked opens up an iframe of…
fire
- 195
- 1
- 1
- 4
9
votes
1 answer
Changing session id after login
My web application is only accessible for authenticated users. Before login the user can only see the main page with a button to log in. The application assign a session ID on the main page, the authentication is handled by other application.
After…
user187205
- 1,163
- 3
- 15
- 24
9
votes
1 answer
Will session_regenerate_id() without true parameter improves security? Should I use it right before login?
I want to decrease session fixation attack vulnerability, hence I used session_regenerate_id() before login. Somehow I'm in dark now and not sure the right answer for questions below:
When we don't set the function parameter to TRUE then old…
Alireza
- 1,280
- 1
- 20
- 26
7
votes
1 answer
Session fixation in Java
In the process of developing a vulnerable jsp/servlet based application I made an attempt to introduce the session fixation vulnerability.
Referring to the documentation I came up with the following code which when used in the servlet to create a…
Shurmajee
- 7,285
- 5
- 27
- 59
7
votes
2 answers
Are my session settings secure enough?
I'm developing a file hosting and sharing web application.
Are the following PHP session settings secure enough?
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_lifetime', 0);
ini_set('session.entropy_file',…
Kid Diamond
- 377
- 3
- 13
6
votes
4 answers
prevent session hijacking in PHP
I wrote the log In/log Out scripts of my web page and when the user logs in I store in the $_SESSION variable the user agent. Now each time a page is loaded I check if the user is logged in or not and if it is logged in I check if the user agent has…
user3535688
- 333
- 1
- 3
- 7
5
votes
1 answer
How to prevent MITM session fixation attack over plain HTTP upon first request?
Websites has various methods implemented to tell browser to always use HTTPS - HSTS header, server redirec to HTTPS, CSP policy. However, the first time a user visits the site it can be over palin HTTP. Only after then browser knows that the site…
Muhammad Umer
- 715
- 7
- 10
5
votes
1 answer
Session renewal how often is necessary?
I am looking at the session management again of a site and currently it renews the client session id on every page refresh. The idea being that if it is stolen directly from the browser there is less chance of the session being hijacked.
This though…
Kline
- 51
- 2
5
votes
3 answers
Session fixation attack
Given the following conditions,
Session ID does not change upon login
Session ID travels in form of HTTP cookie
There is no cross site scripting/redirection vulnerability on the login page
is it still possible to perform a session fixation…
wxyzwebz
- 51
- 3