minte9
LearnRemember



Session fixation

By default, the name of user session cookie is PHPSESSID. On subsequent visits, the client identifies the user with the cookie. It is possible, however, to set the session identifier manually.

Scenario

A hacker is trying to fixate the SID to 123
 
# Hacker has determined that https://unsafe-bank.com ...
# accepts session identifiers from query strings

# Hacker sends User an e-mail
    Hey, check this out:
    https://unsafe-bank.com?PHPSESSID=123

# User is interested and visits 
    https://unsafe-bank.com?PHPSESSID=123
    # the usual log-on screen pops up, and User logs on

# Hacker visits 
    https://unsafe-bank.com?PHPSESSID=123 ...
    # and now has unlimited access to User's account!

POC

Unsecure php.ini settings!
 
# https://unsafe-bank.com/index.php

ini_set("session.use_trans_sid", 1); // default 0
ini_set("session.use_cookies", 0); // default 1
ini_set("session.use_only_cookies", 0); // default 1

session_start();

if (isset($_GET['btn_submit'])) {

    if ($_GET['username'] == 'john') {

        // ....

        $_SESSION['username'] = 'john';
    }    
}    

echo "Sessionid: " . session_id(); // Sessionid: s0dl ...
echo "Logged user: " . @$_SESSION['username']; // john
 
<?php if (! @$_SESSION['username']): ?>
<form method="GET">
    Username: <input type="text" name="username" value="john"/><br />
    Password: <input type="password" name="password" /><br />
    <input type="submit" name="btn_submit" value="Log In"/>
</form>
<?php endif; ?>
In other browser, test it as if you are an attacker.
 
http://localhost/test.php?PHPSESSID=123

// Sessionid: 123
// Logged user: john

REGENERATE

Every time a user's access level changes, regenerate the session identifier.
 
// Secure php.ini settings

ini_set("session.use_trans_sid", 0); // default 0
ini_set("session.use_cookies", 1); // default 1
ini_set("session.use_only_cookies", 1); // default 1

session_start();

// At every login change PHPSESSID
if (isset($_GET['btn_submit'])) {
    if ($_GET['username'] == 'john') {
        $_SESSION['username'] = 'john';
        session_regenerate_id(true); // Look Here
    }    
}    
echo "Sessionid: " . session_id(); // Sessionid: s0dl ...
echo "Logged user: " . @$_SESSION['username']; // john



  Last update: 405 days ago