Introduction to Session Fixation
Session fixation is an attack where the attacker fixes the victim’s session ID before the victim logs into the target web application. By doing so, the attacker no longer needs to obtain the victim’s session ID after the victim logs into the web application.
The attacker will first obtain a valid session ID from the application that is about to be attacked, next the attack will send a link that contains the session ID to one or more victims. Once the victim click on the link and logs into the web application, the attacker will send another request to the web application with the same session ID as the victim.
The web application thinks that both the victim and the attacker are the same user and the attacker is authenticated within the web application and the account is hijacked.
The Attack Scenario
- The attacker logs into to web application
- The attacker receives a valid session ID
- The attacker sends a URL with a valid fixed session ID to its victim(s)
- The victim clicks the link which contains a valid session ID known by the attacker
- The victim logs into the web application
- The attacker refreshes the page of the web application and is logged in as the victim
Protecting against Session Fixation
The best way to protect the web application against this type of attack is to generate a new session ID once the user is authenticated in the web application and destroy the previous session ID.
Example in PHP
After the user is successfully authenticated, regenerate the session ID by using the following code:
The TRUE parameter destroys the previous session ID.