We developers use session protected functionality to restrict unwanted access, to provide security. Do we know there are 2 very popular session attacks?
In the first type of attack, attacker can hijack any user’s session and use that same session to grab illegal privilege. This is called “session hijacking”.
In the second type of attack, attacker tricks to use her own specified session to victim which in turn disclose victims valuable details. In this way attacker fixes victim’s session, hence called “session fixation”.
In the both ways the main target is to use the same session which victim is using.
Procedure of Attack:
Except the initial step both type are same.
Session Fixation: This process starts before victim logs in. First atacker logs into the system and receive a valid session identifier (say sessionid = abcd). now attacker sets the victim’s session even bofore victim logs in.
Following are 2 basic way to trick user-
http://anywebsite.com/<meta http-equiv=Set-Cookie content=”sessionid=abcd”>
Now if victim clicks on this type of link their session set to “abcd”. Now when victim logs in, same session id gets associated to his session.
Session Hijacking: In this process attacker try to grab a session which victim is using.
Following are few basic way to attack-
using cross site scripting –
Now the attacker impersonate as victim as she is using same session as victims session, and do whatever she wants.
-> Since Session Fixation starts before login, we can create a new session whenever an user logs in, hence preventing using of an existing session.
-> Use session_regenerate_id();
Session hijacking cannot be directly prevented, however we can put steps in to make it very difficult and harder to use. Remember how difficult we can make it, attacker will leave and look for a softer target
-> Use a strong session hash identifier: session.hash_function in php.ini. If PHP < 5.3, set it to “session.hash_function = 1” for SHA1.
If PHP >= 5.3, set it to session.
hash_function = sha256
session.hash_function = sha512
-> “session.hash_bits_per_character = 5” in php.ini. When the attacker tries to guess the session identifier the ID will be shorter, but uses more characters.
-> Change the default session name from PHPSESSID to something else.
-> Save $_SERVER[‘HTTP_USER_AGENT’] in session and check in every request for user agent.
Defend attackers 🙂