this is a vulnerability where an attacker is able to fix or set a user's session identifier (session ID) before the user even logs in. This allows the attacker to hijack the user's session and impersonate them once they authenticate. session fixation occurs when session identifiers (such as cookies) are being accepted from URL Query Strings or Post Data
VULNERABLE CODE
<?php
if (!isset($_GET["token"])) {
session_start();
header("Location: /?redirect_uri=/complete.html&token=" . session_id());
} else {
setcookie("PHPSESSID", $_GET["token"]);
}
?>
* if (!isset($_GET["token"])) //If the token parameter hasn't been defined, start a session (generate and provide a valid session identifier).
* header("Location: /?redirect_uri=/complete.html&token=" . session_id()); //Redirect the user to /?redirect_uri=/complete.html&token= and then call the session_id() function to append session_id onto the token value.
* else... // If the token parameter is already set (else statement), set PHPSESSID to the value of the token parameter
MITIGATION
Session fixation can be prevented by generating a new session ID after authentication, ensuring pre-login session IDs are invalidated. utilize built-in functions and libraries for session management from established programming technologies
PHP
session_regenerate_id(bool $delete_old_session = false): bool
* this updates the current session identifier with a newly generated one. The current
session information is kept. refer to the following resource for more in-depth details
- https://www.php.net/manual/en/function.session-regenerate-id.php
JAVA
...
session.invalidate();
session = request.getSession(true);
...
* this invalidates the current session and gets a new session from the request object.
refer to the following resource for more in-depth details
- https://docs.oracle.com/cd/E19146-01/819-2634/6n4tl5kmm/index.html
.NET
...
Session.Abandon();
...
* For session invalidation purposes, the .NET framework utilizes Session.Abandon(),
but there is a caveat. Session.Abandon() is not sufficient for this task. Microsoft
states that "When you abandon a session, the session ID cookie is not removed from
the browser of the user. Therefore, as soon as the session has been abandoned, any
new requests to the same application will use the same session ID but will have a
new session state instance." to address session fixation holistically, one needs to
utilize Session.Abandon() and overwrite the cookie header or implement more complex
cookie-based session management by enriching the information held within and cookie
and performing server-side checks.
