• Skip to main content
  • Skip to primary sidebar

Technipages

Smart phone, gadget and computer tutorials

  • Topics
    • Android
    • Gaming
    • Hardware
    • Internet
    • iOS
    • MacOS
    • Office
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
What is Session Fixation?

What is Session Fixation?

Posted on October 30, 2020 by Mel Hawthorne Leave a Comment

There are many different types of security vulnerabilities found in websites, one interesting one is called “Session Fixation”. Session fixation is an issue where an attacker can influence the session identifier aka the session id of a user and then use it to gain access to their account. There are two ways this type of vulnerability can work, it can allow the attacker to either find or set the session id of another user.

How a session fixation attack is performed

The session id of a user is often a key part of authentication to the website and is in many cases the only data that identifies the specific user logged in. The problem with this is that if an attacker can set or learn the session id of another user, they can use the session token and then be able to act as the user.

Typically, this is done by tricking a user into clicking a type of phishing link. The link itself is completely legitimate but includes a variable that sets a specified session id. If the user then logs in with the session ID and the server does not assign them a new session ID on login, the attacker can simply set their session id to be the same and have access to the victim’s account.

Another way the attacker can discover the victim’s session id is if it appears in a URL. For instance, if the attacker can trick the victim into sending them a link and it includes the victim’s session ID, the attacker can use the session id to access the victim’s account. In some cases, this can happen completely by accident. For example, if the user copies the URL with the session id and pastes it to a friend or in a forum, any user that follows the link will be signed in with the user’s account.

Session fixation remediations

There are a few solutions to this issue, and as always, the best solution is to implement as many fixes as possible as part of a defence-in-depth strategy. The first solution is to change the user’s session id when they sign in. This prevents an attacker from ever being able to influence the session id of a logged-in user. You can also configure the server to only ever accept session ids that it has generated and to explicitly reject any user-provided session ids.

The website should be configured to never place any sensitive user details such as session id in the URL and should place it in a GET or POST request parameter. This prevents the user from accidentally compromising their own session id. By using both a session id and a separate authentication token you double the amount of information the attacker needs to gain and prevent attackers from accessing sessions with known session ids.

It is vital that all valid session ids for a user are invalidated when the logout button is clicked. It’s possible to regenerate the session id on every request, if previous session ids are invalidated this also prevents attackers from using known session id. This approach also significantly reduces the threat window if a user discloses their own session id.

By enabling multiple of these approaches, a defence-in-depth strategy can eliminate this issue as a security risk.

You Might Also Like

  • How to Restore a Lost Chrome Session
    How to Restore a Lost Chrome Session
  • 4 Ways to Close Session in Windows 10
    4 Ways to Close Session in Windows 10
  • Starting a Google Meet Session From Gmail
    Starting a Google Meet Session From Gmail
  • Fix iPhone Backup Session Failed on Windows 10
    Fix iPhone Backup Session Failed on Windows 10
  • Fix - Unable to Copy and Paste to Remote Desktop Session
    Fix - Unable to Copy and Paste to Remote Desktop Session
  • Fix: Printer Doesn't Show In Windows Remote Desktop Session
    Fix: Printer Doesn't Show In Windows Remote Desktop Session

Filed Under: Internet

Reader Interactions

Did this help? Let us know! Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Group Open Tabs on Chrome
  • Dropbox: How To Review Your Security Settings
  • Teams: Disable All Chat Notifications During Meetings
  • Microsoft Teams: Share to Outlook Not Working
  • Teams: Manage External Access With PowerShell
  • VR Oculus Quest 2: What Is Hand Tracking?
  • Microsoft Teams: How to Enable NDI Streaming
  • Microsoft Teams: Enable Background Effects and Blur

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

Follow me on Twitter, or visit my personal blog.

You May Also Like

© Copyright 2021 Technipages · All Rights Reserved · Privacy