phpsessionsessionidsession-fixation

Why is regenerating the session not a solution for preventing spoofing?


After hours of reading and trying to understand sessions, this is my general conclusion/perspective:

Simple (and realistic) situation:

Because Victim clicked on the '9gag.com/?SID=1234' and logged in; he is now logged in on a session with id=1234. Note that every session has a unique id. This is necessary for the server to handle each session individual. It is possible though to get on the same session (with same id) from several computers at the same time.

To prevent this, the host of this site can use the following PHP code:

<?php

  session_start();

  if (!isset($_SESSION['initiated']))
  {

    session_regenerate_id();
    $_SESSION['initiated'] = TRUE;
  }

  ?>

When initiated is true (so when random sessionID has been generated) a new sessionID won't be generated. Otherwise, generate new sessionID. So when a victim logs in with a given sessionID '1234', it will throw it away and generate a new one. Now the Attacker can't get on the same sessionID as you because he does not know it.

The Attacker is smart and knows another way:

QUESTIONS: How is this possible?:

EDIT: Attacks using cross-site cooking:

QUESTIONS: again, how is this possible?:

PLEASE MODIFY ANY MISUNDERSTANDINGS FROM MY PART! Thanks in advance.


Solution

  • Is the $_SESSION['initiated'] based on the given ID? So 'initiated == true' because it uses the session of id '412e11d5'?

    No, it's based on a given session. But initiated == true, since for that given session it is initiated. The session is saved with that id at that time, yes, so that session with that id is initiated.

    Attacker made the session first, otherwise the ID couldn't have been generated. So shouldn't the Victim get on the Attackers session (on his account settings,..) instead of visa versa?

    Yes. But if the attacker created a session without logging in, and Victim would log in, it would be (originally) attackers session, but victims logging details.

    It looks like session fixation is based on a lot off luck. The Attacker has to get on the website at the same moment as the victim. I guess I just don't get how this works..

    No, the attacker doesn't need to get in at the same moment. Just when the session is still valid with the given id.


    Now, an easy solution for all this is to disable session id in urls (trans_sid). This should be always done.

    For more security, session id can (and in some cases should) be regenerated on every request/response.