-1

From what I can read online, it appears that session fixation attacks are caused by session_id information being passed through query strings in the url, or possibly through POST. For my website, I never pass the session information through GET or POST; I am simply storing the session information in the SESSION! That seems incredibly obvious to me, to the point that I feel as if I am missing something... Can you protect your clients session_id information if you simply store the session_id in the browser's SESSION?

brent ryczak
  • 15
  • 1
  • 3
  • possible duplicate of [PHP Session Fixation / Hijacking](http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking) – Anonymous Jul 17 '15 at 19:07

1 Answers1

0

Session fixation is an attack where the attacker defines the session id or is able to create one that is known to him, then passes this ID to the unexpecting victim, who uses this ID, not knowing that it wasn't created randomly.

Your mention of "you are storing the session information in the session" completely misses the point. This attack doesn't mean to access this data directly. It targets the ID - this ID should be sufficiently random, but the session fixation attack circumvents this.

Note that even when there is no possibility of session fixation, there are more possible attack vectors available to break into a session.

Sven
  • 69,403
  • 10
  • 107
  • 109
  • I should have known that this already has been asked - with WAY better answers than this one. – Sven Jul 17 '15 at 19:09
  • by storing my session_id's in the session, there is never an option for an attacker to send the victim an existing session_id. I pull the session_id from the session array, and move along. I seriously must be missing something because that seems too simple. – brent ryczak Jul 17 '15 at 19:12
  • notice.. I read every post here about session fixation. still doesn't help me understand how someone can send a victim an existing session_id if I only store and pull them in the session array. – brent ryczak Jul 17 '15 at 19:13
  • Yes, you miss something. You cannot store the session id in the session, because you use that ID to access the session. No ID? No session data! The ID is the key to be able to load the data that has previously been accumulated and saved. Without the ID you can't read the ID (or anything else) from $_SESSION. – Sven Jul 17 '15 at 22:47