A vulnerability through which an attacker can hijack a user's session by fixing the session ID value of the user. If in an application, session ID value remains same pre and post login, then the application is vulnerable to session fixation.
Questions tagged [session-fixation]
68 questions
0
votes
1 answer
Is there a way to modify the value of a session token with HttpOnly flag set in this scenario?
SCENARIO:
When a user browses to the login page the web application sets SESSIONID=X; Httponly; before the authentication.
After the authentication NO new cookies are set. The only cookie used to identify the session is SESSIONID=X.
This should mean…
Maicake
- 497
- 1
- 3
- 13
0
votes
1 answer
Is there a way to know that a cookie is "HTTP Only" on the first user request?
As I was reading the session fixation article on OWASP, I was thinking that the only way for my server to refuse a cookie set by a rogue script would be for my server to know that the browser sent a request without the HTTP-Only flag. Only cookies…
Alexis Wilke
- 862
- 5
- 19
0
votes
5 answers
Session fixation attack, cookie based sessions over https
A third party security consultant did a Penetration test few of our webapps. One of the findings was a potential session fixation vulnerability.
We have several webapps all Java with single sign on provided by JASIG CAS. To briefly summarize CAS…
mzzzzb
- 269
- 1
- 2
- 6
0
votes
1 answer
Is Session Fixation a tough one to resolve?
Just found session fixation vulnerability in couple of tech giants. Giving the steps I have done:
1. Login to your account in a browser (Browser 1).
2. Extract cookie using cookie extractor.
3. Import the cookie to different browser (Browser…
Shakir
- 185
- 2
- 13
0
votes
2 answers
Session Management: Set new value of session ID after privilege change and other sensitive operations
This OWASP Article on session management recommends to set a new value of session ID when:
Common scenarios must also be considered, such as password changes,
permission changes or switching from a regular user role to an
administrator role…
one
- 1,781
- 3
- 18
- 45
-2
votes
2 answers
How to avoid session sharing inside the same network
I was thinking about a situation to avoid session sharing or hijacking, validating the IP the user logged in against the ip that is accessing any page after log in.
It was working until I figured it's possible when the user are coming from other…
user3551863
- 101
- 1
-2
votes
3 answers
Can a URL contain executable JavaScript?
I am learning about "Session fixation" and have read the corresponding OWASP page.
In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL…
Marcel
- 3,494
- 1
- 18
- 35
-5
votes
5 answers
What is the difference between session fixation and session recreation?
I have read that both of them are conventionally the same. But there must be a few differences which differentiates the two terms. Anyone please explain.
Anandu M Das
- 1,981
- 14
- 31
- 46