1

Is it true to say the tactic of regenerating session ID's is only useful to prevent session hijacking via session fixation? If not, how does regenerating id's help prevent against session hijacking?

This popular answer recomendeds to change the session ID often because:

..if an attacker does hijack a session you don't want them to be able to use it for too long."

But if the attacker has already hijacked a session won't they just receive the new session ID?

Community
  • 1
  • 1
paul
  • 731
  • 2
  • 9
  • 13
  • Better to logout user and let him to log again and then generate new session. – Krab Jul 18 '13 at 16:07
  • Thanks, but it's not possible to determine that a request came from a hijacked session (user-agent/IP checks are not viable) so I would not know to log the user out. – paul Jul 18 '13 at 16:24

1 Answers1

1

It'd be a race condition. You'd have 2+ users both sharing the same session ID. At some point your code decides to regenerate the ID, which would send the new ID to one of those users. If the attacker lucks out and their "hit" is the on that gets the regenerated ID, they'll be in the clear and have total control over that session now.

If the actual user gets the regenerated ID, then the attacker is now left with an invalid session ID, and they'll have to try and hijack the freshly regenerated ID and start over again.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • So a benefit of regenerating when privileges change is that the actual user will be more likely to elevate privileges and will therefore get the new ID, invalidating the attacker's session? – paul Jul 18 '13 at 16:20
  • changing privilege levels would be a good time to regenerate the id. e.g. let's say the attacker can reliably steal a session ID 100% of the time, but only get it 15 minutes "late". If you regenerate the ID every 14 minutes, the attack's locked out because they'll never have access to a "current" id. your user elevates (new id), does whatever, then de-scalates to normal (another new id) - the attacker never has a chance to exploit the elevated session. – Marc B Jul 18 '13 at 16:24
  • Just to be clear: Regenerating ID when the user changes privilege level AS WELL AS regenerating ID every so often is a good solution? Or are you presuming the privilege level would change at least once every 15 minutes? – paul Jul 18 '13 at 16:31
  • unconditional periodic regens are a good idea. but explicitly forcing a regen when privilege levels change is a good idea too. – Marc B Jul 18 '13 at 16:33