Session Fixation is a security vulnerability which occurs after authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier. It gives an attacker the opportunity to steal authenticated sessions.
Questions tagged [session-fixation]
60 questions
97
votes
7 answers
When and why I should use session_regenerate_id()?
Why and when should I use the session_regenerate_id() function in php?
Should I always use it after I use the session_start()?
I've read that I have to use it to prevent session fixation, is this the only reason?
rvandoni
- 3,130
- 3
- 29
- 43
16
votes
2 answers
what is the use of anti-forgery token salt?
In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem:
<%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
// ... etc
}
I found the token generated in html…
MemoryLeak
- 7,036
- 22
- 80
- 127
8
votes
2 answers
Generating a new SessionID on Login (ASP.NET)
I'm trying to work a number of security issues on a rather large ASP.NET web application (C#). To prevent session fixation attacks I'd like to generate a new session id every time a user authenticates himself. However I want to only generate a new…
Georg Z.
- 81
- 1
- 1
- 7
7
votes
1 answer
Preventing session fixation in ruby sinatra
Most of the session fixation topics in ruby are mostly related to rails. Are there any session fixation vulnerabilities in sinatra? In rails we are mostly recommended to do reset_session before assigning sessions. How can we prevent session fixation…
Lordking
- 1,413
- 1
- 12
- 31
7
votes
1 answer
Can you give me an example of a session fixation attack?
I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user?
Tony
- 17,359
- 29
- 118
- 188
6
votes
2 answers
Simple session fixation attack on localhost for testing purpose
I read many q/a on SO about the risk of session fixation/hijacking and many people suggest to change php.ini directives like session.use_only_cookies to ON and others php.ini directives to make the server more secure...
How do i fix Session…
Marco Demaio
- 30,990
- 33
- 122
- 155
6
votes
1 answer
Session Replay vs Session Fixation vs Session Hijacking
Can anyone give a clear difference between session fixation, session replay and session hijacking attacks? I have read many articles, but the matter is still unclear between session hijacking and session replay attacks.
swapneil dash
- 61
- 1
- 3
5
votes
1 answer
How can I find the new session_id after the reset_session command in Rails 3?
I am using the command "reset_session" as per here to avoid Session Fixation.
After running the command I would like to store the new generated session_id in the database but session[:session_id] is not defined.
I wrote a simple test:
class…
Lucamug
- 732
- 5
- 18
4
votes
1 answer
Rails/RSpec: reset_session not changing Set-Cookie HTTP header value during integration tests
I'm writing an integration test to make sure my webapp isn't vulnerable to session fixation.
I have manually verified that reset_session is actually firing in the authentication logic, and further that the cookie does indeed change when I log in…
jtolds
- 2,941
- 3
- 14
- 14
4
votes
2 answers
Rails 3 with Authlogic and calling reset_session
The RoR Security Guide states that you should "issue a new session identifier and declare the old one invalid after a successful login" using the reset_session method to counter session fixation.
I haven't been able to find any guidance on calling…
Chris Hilton
- 717
- 1
- 8
- 12
3
votes
1 answer
Rails4 security: Session fixation possible at all using encrypted cookies?
After studying the rails guide and some other ressources I'm wondering how a session fixation attack on a user's session can actually happen. At least I'm sceptical it works as simple as depicted here in the guide, where an attacker...
1) ...creates…
A. Neumann
- 389
- 1
- 12
2
votes
1 answer
Preventing session fixation in java
I have a web application written in java. We don't use sessions in authentication process. An application scan was ran and it was found that we have possibility of session fixation attack. I am wondering when we are not using session, how do you fix…
yogsma
- 9,106
- 25
- 86
- 142
2
votes
2 answers
Session fixation attack replication, term paper (php)
I'm trying to replicate session for my term paper and I've found quite a bit tips here, but can't replicate an attack on my localhost.
I've tried an example from here:
http://www.devshed.com/c/a/PHP/Sessions-and-Cookies/2/
fixation.php:
abaddon
- 21
- 1
2
votes
2 answers
Current OAuth 1.0 spec - how does it address the session fixation attack?
I've implemented an OAuth 1.0 provider following this specification, which should be the latest. The specification was amended to address the session fixation attack that was identified in 2009. The thing is, short of having to diff the two…
Jon Nylander
- 8,152
- 5
- 31
- 45
2
votes
2 answers
Generate a new session Id
How to generate new session id with out extends HttpServlet class. Is it mandatory to extend HttpServlet class & Is it mandatory to genarate new session id with in doGet method
public class LoginSupport extends ActionSupport {
public void…
Mapa
- 61
- 1
- 1
- 11