ExpertRefresh

Session fixation

1) How can a hacker do a session fixation?





2) How can you prevent session fixation?






// Session fixation: unsafeURL?PHPSESSID=123 // Defence: session_regenerate_id() & session.use_trans_sid = 0

Session fixation

When a user first encounters a page in your application that calls session_start(), a session is created for the user. PHP generates a random session identifier to identify the user, and then it sends a Set-Cookie header to the client. By default, the name of this cookie is PHPSESSID. On subsequent visits, the client identifies the user with the cookie, and this is how the application maintains state. It is possible, however, to set the session identifier manually through the query string, forcing the use of a particular session. A simple attack scenario: 1. Mallory has determined that unsafeURL accepts session identifiers from query strings 2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, unsafeURL?PHPSESSID=123". Mallory is trying to fixate the SID to 123 3. Alice is interested and visits unsafeURL?PHPSESSID=123. The usual log-on screen pops up, and Alice logs on. 4. Mallory visits unsafeURL?PHPSESSID=123 and now has unlimited access to Alice's account. <?php // Unsecure php.ini settings ini_set("session.use_trans_sid", 1); // default 0 ini_set("session.use_cookies", 0); // default 1 ini_set("session.use_only_cookies", 0); // default 1 session_start(); if (isset($_GET['btn_submit'])) { if ($_GET['username'] == 'john') { $_SESSION['username'] = 'john'; } } echo "Sessionid: " . session_id() . " / Logged user: " . @$_SESSION['username']; /* OUTPUT: Sessionid: s0dlgs40h4fi36ggthv6mb77d7 / Logged user: john In other browser (to test as if you are an attacker) OUTPUT: Sessionid: 123 / Logged user: john // --- Look Here --- // In this way an attacker can access john's account */ ?> <?php if (! @$_SESSION['username']): ?> <form method="GET"> Username: <input type="text" name="username" value="john"/><br /> Password: <input type="password" name="password" /><br /> <input type="submit" name="btn_submit" value="Log In"/> </form> <?php endif; ?> Since the purpose of the attack is to gain a higher level of privilege, the points at which the attack should be blocked are clear: every time a user's access level changes, it is necessary to regenerate the session identifier. There are a few ways to prevent session fixation (do all of them): <?php // Secure php.ini settings ini_set("session.use_trans_sid", 0); // default 0 ini_set("session.use_cookies", 1); // default 1 ini_set("session.use_only_cookies", 1); // default 1 session_start(); // At every login PHPSESSID is changed if (isset($_GET['btn_submit'])) { if ($_GET['username'] == 'john') { $_SESSION['username'] = 'john'; session_regenerate_id(true); // --- Look Here --- // } } echo "Sessionid: " . session_id() . " / Logged user: " . @$_SESSION['username']; // // PHPSESSID=kta1va58aevngk6r7hkvodspf2 ?> <?php if (! @$_SESSION['username']): ?> <form method="GET"> Username: <input type="text" name="username" value="john"/><br /> Password: <input type="password" name="password" /><br /> <input type="submit" name="btn_submit" value="Log In"/> </form> <?php endif; ?>