Session fixation
By default, the name of user session cookie is PHPSESSID. On subsequent visits, the client identifies the user with the cookie. It is possible, however, to set the session identifier manually.Scenario
A hacker is trying to fixate the SID to 123
# Hacker has determined that https://unsafe-bank.com ...
# accepts session identifiers from query strings
# Hacker sends User an e-mail
Hey, check this out:
https://unsafe-bank.com?PHPSESSID=123
# User is interested and visits
https://unsafe-bank.com?PHPSESSID=123
# the usual log-on screen pops up, and User logs on
# Hacker visits
https://unsafe-bank.com?PHPSESSID=123 ...
# and now has unlimited access to User's account!
POC
Unsecure php.ini settings!
# https://unsafe-bank.com/index.php
ini_set("session.use_trans_sid", 1); // default 0
ini_set("session.use_cookies", 0); // default 1
ini_set("session.use_only_cookies", 0); // default 1
session_start();
if (isset($_GET['btn_submit'])) {
if ($_GET['username'] == 'john') {
// ....
$_SESSION['username'] = 'john';
}
}
echo "Sessionid: " . session_id(); // Sessionid: s0dl ...
echo "Logged user: " . @$_SESSION['username']; // john
<?php if (! @$_SESSION['username']): ?>
<form method="GET">
Username: <input type="text" name="username" value="john"/><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="btn_submit" value="Log In"/>
</form>
<?php endif; ?>
In other browser, test it as if you are an attacker.
http://localhost/test.php?PHPSESSID=123
// Sessionid: 123
// Logged user: john
REGENERATE
Every time a user's access level changes, regenerate the session identifier.
// Secure php.ini settings
ini_set("session.use_trans_sid", 0); // default 0
ini_set("session.use_cookies", 1); // default 1
ini_set("session.use_only_cookies", 1); // default 1
session_start();
// At every login change PHPSESSID
if (isset($_GET['btn_submit'])) {
if ($_GET['username'] == 'john') {
$_SESSION['username'] = 'john';
session_regenerate_id(true); // Look Here
}
}
echo "Sessionid: " . session_id(); // Sessionid: s0dl ...
echo "Logged user: " . @$_SESSION['username']; // john
Last update: 405 days ago