Dr. Drew Hwang, CIS, Cal Poly Pomona
Secure Web Development
Insecure Direct Object Reference
Unvalidated Redirects and Forwards
In a session fixation attack, an attacker issues (sets or fixats) a user SID before the user logs into the target server and force the users browser into using the attacker's session. This attack eliminates the need to hijack the users SID.
1. Session setup
The attacker sets up a "trap session" on the target server, obtains a SID, maintains the SID by repeatedly sending requests referencing it to avoid idle session timeout.
2. Session fixation
The attacker tries to transport the trap session ID to the users browser, thereby fixing his session.
have been predominantly used to store SID because of their security in comparison to
hidden form fields
. However, at the same time cookies also provide the most convenient way to exploiting session fixation vulnerabilities.
, a cookie can be set up only to allow access to either the issuing server or the issuing servers domain.
3. Session entrance
Finally, the attacker will wait until the user logs in to the target server and use his seesion. After the user logins to the trap session and before he has logged out, the attacker then enter the trap session and assume the users identity.
Preventing session fixation attacks is the responsibility of the web application, not the underlying web server.
Preventing logs in to a chosen session
: Web applications must ignore any SID provided by the users browser at login but always generate a new session once the user is successfully authenticated.
Binding the session ID to the browsers network address
or the users SSL client certificate
: Upon logging out or timeout, SID needs to be deleted not only on the browser but also on the server. logging out or timeout, must take place
Absolute session timeouts
: This will prevent attackers from maintaining a trap session and the already entered users session for a long period of time.
Session Fixation Vulnerability in ASP.NET
"Session Fixation Vulnerability in Web-based Applications", By Mitja Kolsek - Acros Security,