SESSION FIXATION

this is a vulnerability where an attacker is able to fix or set a user's session identifier (session ID) before the user even logs in. This allows the attacker to hijack the user's session and impersonate them once they authenticate. session fixation occurs when session identifiers (such as cookies) are being accepted from URL Query Strings or Post Data

VULNERABLE CODE

<?php
    if (!isset($_GET["token"])) {
        session_start();
        header("Location: /?redirect_uri=/complete.html&token=" . session_id());
    } else {
        setcookie("PHPSESSID", $_GET["token"]);
    }
?>

 * if (!isset($_GET["token"]))                                              //If the token parameter hasn't been defined, start a session (generate and provide a valid session identifier).
 * header("Location: /?redirect_uri=/complete.html&token=" . session_id()); //Redirect the user to /?redirect_uri=/complete.html&token= and then call the session_id() function to append session_id onto the token value.
 * else...                                                                  // If the token parameter is already set (else statement), set PHPSESSID to the value of the token parameter

MITIGATION

Session fixation can be prevented by generating a new session ID after authentication, ensuring pre-login session IDs are invalidated. utilize built-in functions and libraries for session management from established programming technologies

PHP

session_regenerate_id(bool $delete_old_session = false): bool

 * this updates the current session identifier with a newly generated one. The current 
   session information is kept. refer to the following resource for more in-depth details
    - https://www.php.net/manual/en/function.session-regenerate-id.php

JAVA

...
session.invalidate();
session = request.getSession(true);
...

 * this invalidates the current session and gets a new session from the request object.
   refer to the following resource for more in-depth details
    - https://docs.oracle.com/cd/E19146-01/819-2634/6n4tl5kmm/index.html

.NET

...
Session.Abandon();
...

 * For session invalidation purposes, the .NET framework utilizes Session.Abandon(), 
   but there is a caveat. Session.Abandon() is not sufficient for this task. Microsoft 
   states that "When you abandon a session, the session ID cookie is not removed from 
   the browser of the user. Therefore, as soon as the session has been abandoned, any 
   new requests to the same application will use the same session ID but will have a 
   new session state instance." to address session fixation holistically, one needs to 
   utilize Session.Abandon() and overwrite the cookie header or implement more complex 
   cookie-based session management by enriching the information held within and cookie 
   and performing server-side checks.
PreviousSESSION HIJACKINGNextDISCOVERY

Last updated