A vulnerability through which an attacker can hijack a user's session by fixing the session ID value of the user. If in an application, session ID value remains same pre and post login, then the application is vulnerable to session fixation.
Questions tagged [session-fixation]
68 questions
4
votes
1 answer
Session Identification Hashing - How to make it more Secure and Robust
I wrote a PHP class which handles Session and store them in DB instead of normal Files in the server, you can find it on My Session Handler Class
In that post a user by name @AnotherGuy has raised some security concern/flaws about my Session…
Dimag Kharab
- 141
- 5
4
votes
3 answers
How to avoid session fixation (Login CSRF) by MitM attack without HSTS?
I'm writing a web app that already uses TLS encrypted connections (HTTPS), Secure; HttpOnly session cookie, HMAC-SHA1 CSRF token, requires correct Referer header to avoid Login CSRF and changes session id during login to avoid basic session fixation…
Mikko Rantalainen
- 513
- 2
- 11
4
votes
2 answers
Am I understanding correctly how to stop a certain OAuth2 session fixation attack?
Please find here described an OAuth2 session fixation attack. Is the attack possible? And am I understanding correctly how it can be stopped?
The attack
Mallory starts logging in at client.example.com via a certain OpenAuth2 provider, but just after…
KajMagnus
- 687
- 1
- 5
- 10
4
votes
2 answers
Do I still need a CSRF token?
When a client makes the first request, I send a session ID cookie generated by the server as a string of 64 random bytes using getrandom(2) or /dev/urandom, stored in the database, with the flags HttpOnly, Secure and SameSite=Strict set.…
rid
- 327
- 2
- 7
4
votes
1 answer
Plausible scenario for a PHP session fixation attack with default settings?
Recently I was musing on the problem and realized that I cannot think of a plausible scenario for a session fixation attack against a PHP application running with default settings.
Given session.use_only_cookies's default value is On, an attacker…
Your Common Sense
- 726
- 3
- 13
4
votes
2 answers
Session Fixation: A token and an id
I am testing a web app and it works like this:
user opens the page and is assigned a sessionId.
user logs in, sessionId stays the same but user is also given an authToken.
user logs out, authToken is deleted, sessionId changes.
user logs back in,…
b4da
- 690
- 1
- 7
- 20
3
votes
1 answer
OpenID Session Fixation with CSRF
This answer describes a situation where CSRF can be used to trick an end user to enter a credit card into another person's Paypal account. It also highlights the fact that state-changing GET requests are just as bad a POST requests.
This is pretty…
makerofthings7
- 50,090
- 54
- 250
- 536
3
votes
2 answers
Exploiting a potential ASP.NET web app Session Fixation vulnerability
I am pen-testing an ASP.NET application that is exhibiting Session Fixation behavior. The application is using cookie based sessions. Basically:
When you land on the page no Session cookie is created
After login ASP.NET_SessionId cookie is…
fing
- 175
- 2
- 2
- 6
3
votes
1 answer
What attacks are prevented using Session Timeout or Expiry?
OWASP recommends setting session timeouts to minimal value possible, to minimize the time an attacker has to hijack the session:
Session timeout define action window time for a user thus this window represents, in the same time, the delay in which…
gregmac
- 523
- 1
- 3
- 14
3
votes
1 answer
Is it easy to hijack browser session if you have access to someone else computer
If someone has access to my computer , can they easily get my session id by going to the browsers developer tools and taking a photo of the session id with a phone, if the session id is passed in a cookie. eg. in a java web app , the jsessionid is…
Rpant
- 131
- 4
3
votes
1 answer
How often should I reset my users' session cookies?
I am working on a Rails application where I reset the session upon logging out and each successful login, as well as when the user IP address changes.
Would resetting the session (changing the session ID cookie) after each user request…
Nick M
- 133
- 4
3
votes
1 answer
I was logged in as another user to a site, how?
It happened last year but I still wonder to this day. I was looking for coupons for the site Alltrails. I had a free account and wanted to get a Pro account. I randomly opened lots of search results, but I couldn't find a coupon. Upon going back to…
3
votes
1 answer
Clarification on how session fixation attacks works
Starting with OWASP I am learning how session fixation attacks work.
This is the scenario: The attacker has the session ID generated by the server (by logging in for example), and sends a hyperlink with the same session id in it to the victim. Now…
KESHAV K
- 49
- 1
- 4
3
votes
2 answers
Placing IP address in JSON web token or session cookie
I'm relatively new to security and I'm looking to prevent brute force logins on a web application I'm creating.
After doing some research, I decided to go with requiring a captcha after a user attempts too many logins within a set amount of time but…
Mike
- 133
- 1
- 5
3
votes
2 answers
Session Fixation cookie delivery
I found a possibility for session fixation in an application I am researching. It is a session fixation through a session ID cookie. Now I've read up on session fixation and the concept is clear and comes down to getting a victim to use the cookie…
Wealot
- 879
- 2
- 12
- 25