Categories
PHP

Session Fixation: Changing Session ID

Session fixation exploits a weakness in your PHP script. Especially, if you do not generate a new session id for users when authenticating them.

One common attack against websites that are secured with sessions is that the session ID of a user is somehow taken (for instance, by analyzing HTTP_REFERER entries in HTTP requests) and then used to impersonate that specific user.

One convenient way to make it harder for attackers is to change the session ID whenever something “important” happens, such as the user signing in. For example, ask users who are already authenticated with their cookie to sign in again when they do something important.

Changing the Session ID

<?php
 session_start();
 $old = session_id();

 session_regenerate_id();
 $new = session_id();
 
 echo "<p>Old: $old</p>";
 echo "<p>New: $new</p>";

In this case, the function session_regenerate_id() just changes the current session ID but leaves all data intact. This is shown in the preceding code, in which the current session ID (both old and new) is retrieved using the session_id() function.

The possible output of this script is:

Old: fnuukkkn1knhvpomuan99hialj

New: lqi2hmpgj0cjb20igs9brj4tam

You can also set session.use_strict_mode=On in the php.ini file. This directive enables PHP to only use session identifiers that it creates itself. It will reject a user-supplied session identifier.

Most session fixation attacks use session ids from the URL. The settings session.use_cookies=On and session.use_only_cookies=On will prevent PHP from accepting the session ID from the URL.


Cookies and Sessions: