IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [session-fixation]

A vulnerability through which an attacker can hijack a user's session by fixing the session ID value of the user. If in an application, session ID value remains same pre and post login, then the application is vulnerable to session fixation.

68 questions
3
votes
3 answers

Checking Browser Agent String for application security

I have recently come across some logs in my application where I have seen the user's browser agent info being switched. Even if the user is using the same browser, the agent info has been modified for consecutive requests. For example, a request…
ha9u63ar
  • 151
  • 6
2
votes
2 answers

Can sessions be handled securely with cookies disabled?

I've been doing some reading here about session ID handling, and have learned that it's generally a bad idea to include a session ID in the HTML source code, and/or on the query string. For example Is it correct to use form field(hidden) for storing…
Mike Willis
  • 131
  • 4
2
votes
1 answer

Javascript http to https redirect - how vulnerable/how secure?

If I had a website http://site.com redirecting to https://site.com via javascript (with a HTTP/1.1 403 Forbidden), what are the attack vectors I could be vulnerable too? Why is this not a good practise? (and the preferred way is to do a 301 from the…
gmaran23
  • 143
  • 1
  • 7
2
votes
0 answers

How does proper use of session.use_only_cookies and session_regenerate_id() cause personal DoS?

From PHP Session Management basics: Proper use of session.use_only_cookies and session_regenerate_id() can cause personal DoS with undeletable cookies set by attackers. In this case, developers may invite users to remove cookies and advise…
Kyoma
  • 121
  • 4
2
votes
1 answer

Session id in custom header

Is there a way to perform session fixation attack with XSS present if session id is passed in request header? As far as I see it, theoretically there are three ways to do so: intercept request on login, substitute session id (have not found any…
ShHolmes
  • 123
  • 1
  • 5
2
votes
1 answer

Hardening ASP.NET against session fixation: Should I change the session ID despite the additional Auth cookie?

Situation I am the responsible developer for an ASP.NET application that uses the "Membership" (username and password) authentication scheme. I am presented with the following report from a WebInspect scan: WebInspect has found a session fixation…
Marcel
  • 3,494
  • 1
  • 18
  • 35
2
votes
2 answers

Testing Session Fixation when cookie is unchanged

I was testing a web application where cookies (session ID, session values) are the same for all times. Even after successful authentication takes place it remains unchanged. The session ID travels in the form of a HTTP cookie. To investigate a…
Shakir
  • 185
  • 2
  • 13
2
votes
2 answers

Comparing Session Hijacking, Fixation and Riding

How do I differentiate between these Session Hijacking/Session Fixation/Session Riding. I find it difficult to understand when read about all three at the same time. I get very confusion between when comparing Hijacking with Fixation because there's…
Youbecks003
  • 175
  • 8
2
votes
2 answers

HTTP session fixation

According to wikipedia, Mallory the attacker gets her own SID and then forces Alice to visit a site with the SID. Why wouldn't Mallory just take Alice's SID, if she could MITM Mallory? Also, is this attack without MITM only susceptible to SID in…
Adam
  • 143
  • 4
2
votes
1 answer

How to protect the Session ID?

I have been doing some reading over the past few days on Session IDs and the methods taken to prevent people from intercepting them and using them to hijack a session. From what I have read, when sending the Session ID in a cookie to the browser…
K Martin
  • 31
  • 2
1
vote
2 answers

ASP.NET session id strength

After reading this and this, I am wondering if it is considered secure to use the default ASP.NET sessionID as a means to authenticate the user. I know it would be better to implement ASP.Identity, which has a much longer 'fedAuth' cookie next to…
Michael
  • 5,393
  • 2
  • 32
  • 57
1
vote
1 answer

Session Fixation - Is that even an issue here?

Someone stepped up to me calling me out on not assigning a new session-ID on successfull login. Basically i was told: The fact that i use the same cookie (with the same SID) in the login-page as well as the remaining authorized session makes my…
Mercious
  • 113
  • 2
1
vote
3 answers

Session Fixation - Setting path to root without /

I have found an XSS vulnerability on the subdomain of a site I am testing, and using it I can set cookies for both the main site and all it's subdomains. My url currently looks like…
WH567
  • 11
  • 1
1
vote
1 answer

Preventive Measure for detecting Session Fixation attacks

From my understanding if i am not wrong in session fixation attacks. The attacker login into the server as a legitimate user and creates a valid session. He then the tricks the compromised user to use his session which has already been fixed. My…
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
1
vote
1 answer

Mitigating physical cookie theft

Threat model: Malicious user gaining physical access to browser cookies (e.g., 3rd party repair guy copying cookies to his own device or something like that). Let's say legit user did not clear cookies beforehand. Possible mitigation: Pre-authorize…
IMB
  • 2,888
  • 6
  • 28
  • 42
1 2
3
4 5