Session Fixation is a security vulnerability which occurs after authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier. It gives an attacker the opportunity to steal authenticated sessions.
Questions tagged [session-fixation]
60 questions
108
votes
7 answers
When and why I should use session_regenerate_id()?
Why and when should I use the session_regenerate_id() function in php?
Should I always use it after I use the session_start()?
I've read that I have to use it to prevent session fixation, is this the only reason?
rvandoni
- 3,297
- 4
- 32
- 46
17
votes
2 answers
what is the use of anti-forgery token salt?
In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem:
<%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
// ... etc
}
I found the token generated in html…
MemoryLeak
- 7,322
- 23
- 90
- 133
8
votes
2 answers
Generating a new SessionID on Login (ASP.NET)
I'm trying to work a number of security issues on a rather large ASP.NET web application (C#). To prevent session fixation attacks I'd like to generate a new session id every time a user authenticates himself. However I want to only generate a new…
Georg Z.
- 81
- 1
- 1
- 8
8
votes
1 answer
Can you give me an example of a session fixation attack?
I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user?
Tony
- 18,776
- 31
- 129
- 193
7
votes
1 answer
Session Replay vs Session Fixation vs Session Hijacking
Can anyone give a clear difference between session fixation, session replay and session hijacking attacks? I have read many articles, but the matter is still unclear between session hijacking and session replay attacks.
swapneil dash
- 71
- 1
- 1
- 3
7
votes
1 answer
Preventing session fixation in ruby sinatra
Most of the session fixation topics in ruby are mostly related to rails. Are there any session fixation vulnerabilities in sinatra? In rails we are mostly recommended to do reset_session before assigning sessions. How can we prevent session fixation…
Lordking
- 1,413
- 1
- 13
- 31
6
votes
2 answers
Simple session fixation attack on localhost for testing purpose
I read many q/a on SO about the risk of session fixation/hijacking and many people suggest to change php.ini directives like session.use_only_cookies to ON and others php.ini directives to make the server more secure...
How do i fix Session…
Marco Demaio
- 33,578
- 33
- 128
- 159
5
votes
1 answer
How can I find the new session_id after the reset_session command in Rails 3?
I am using the command "reset_session" as per here to avoid Session Fixation.
After running the command I would like to store the new generated session_id in the database but session[:session_id] is not defined.
I wrote a simple test:
class…
Lucamug
- 792
- 5
- 19
4
votes
1 answer
How to clear/reset/renew Session Cookie in ASP.net core (Razor pages) app on login or logout
I am trying to get a new value for the Session Cookie for every new login. Basically, the value in the screenshot below should have a new random string every time a user logs in. This is to avoid Session Fixation.
I have tried the following :
On…
Rakendu
- 43
- 1
- 5
4
votes
1 answer
Rails/RSpec: reset_session not changing Set-Cookie HTTP header value during integration tests
I'm writing an integration test to make sure my webapp isn't vulnerable to session fixation.
I have manually verified that reset_session is actually firing in the authentication logic, and further that the cookie does indeed change when I log in…
jtolds
- 3,341
- 3
- 17
- 14
4
votes
2 answers
Rails 3 with Authlogic and calling reset_session
The RoR Security Guide states that you should "issue a new session identifier and declare the old one invalid after a successful login" using the reset_session method to counter session fixation.
I haven't been able to find any guidance on calling…
Chris Hilton
- 717
- 1
- 8
- 13
3
votes
2 answers
Current OAuth 1.0 spec - how does it address the session fixation attack?
I've implemented an OAuth 1.0 provider following this specification, which should be the latest. The specification was amended to address the session fixation attack that was identified in 2009. The thing is, short of having to diff the two…
Jon Nylander
- 8,743
- 5
- 34
- 45
3
votes
2 answers
Rails4 security: Session fixation possible at all using encrypted cookies?
After studying the rails guide and some other ressources I'm wondering how a session fixation attack on a user's session can actually happen. At least I'm sceptical it works as simple as depicted here in the guide, where an attacker...
1) ...creates…
A. Neumann
- 488
- 2
- 15
2
votes
1 answer
Preventing session fixation in java
I have a web application written in java. We don't use sessions in authentication process. An application scan was ran and it was found that we have possibility of session fixation attack. I am wondering when we are not using session, how do you fix…
yogsma
- 10,142
- 31
- 97
- 154
2
votes
2 answers
Session fixation attack replication, term paper (php)
I'm trying to replicate session for my term paper and I've found quite a bit tips here, but can't replicate an attack on my localhost.
I've tried an example from here:
http://www.devshed.com/c/a/PHP/Sessions-and-Cookies/2/
fixation.php:
abaddon
- 21
- 1