Alright I'm trying to test session fixation/hijacking on my localhost.
I'm trying to give my URL with SID from the attacker to the victim and let victim login in that URL. But when the victim login, the attacker refreshed the page and still in the login page.
Then I discovered that if I have two login tabs in a browser, victim login in Tab 1 but Tab 2 doesn't auto login after refreshing. So that's probably why my attacker stay on the login page ?
My question is that what do I have to do in my php files to auto login the user in the other tabs if he has already login in one tab? What keyword should I look up to for this kind of case ?
Sessions use cookies to remember whether a user has logged in or not. When you start a session (session_start()), the server sends a session cookie with a unique session id. When user requests a page that requires a login, the server checks the cookie with the id to make sure that it is valid.
Session Fixation and Session HiJacking are quite similar, the main difference lies in how the session is compromised. Never put the SESSID in the URL, you are just asking to be hacked. Instead I would suggest you create a session variable when a user is logged in.
EG:
AUTO LOGIN: CHECK CODE
session_start();
if(isset($_SESSION['logged_in'])){
header("location:loginonlypage.php")
}
PREVENT SESSION HIJACKING/FIXATION:
However, just because your session id is not in the url does not mean session hijacking/fixation will not occur. Use the user's ip as a safeguard to prevent this. Also make sure to set you session cookies to HTTP ONLY so Javascript doesn't get tempted to eat your cookies :)
ini_set('session.cookie_httponly', 1); //SET HTTP ONLY COOKIE
if (!isset($_SESSION['last_ip'])) {
$_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']) {
session_unset();
session_destroy();
}