Session Security

Rule of thumb

A seesion ID should be:

  1. Valid for only a single session

  2. Time limited

  3. Purely random + Unpredictable

  4. Don't store / transmit in URL

  5. In HTML5, store the session token in SessionStorage (destroy after closing browser) instead of Localstorage (have to delete explicitly)

Prevent Cookie Stealing via XSS

  • Set the cookie flag HTTPONLY

Session Fixation Attack

The attacker fixates a SessionID and force the victim to use it.

Phases:

  1. The attacker obtains a valid session ID

  2. The attacker forces the victim to use this session ID to establish a personal session with the web server

Symptoms:

  1. Session ID is embedded in the URL --> Attacker can just craft a phishing link

  2. Session ID is recycled

Fix:

  • Generate a new session ID each time the users login successfully

  • e.g. php session_regenerate_id(true) ...

CSRF

An attacker site triggers a request to a vulnerable site, which turns out to be a legit user's request from the vulnerable site perspective.

Prevent:

  • CSRF Tokens (hidden input)

  • Captchas

To prevent CSRF, one has to implement a random token for every request and be immune to XSS exploits at the same time.

PreviousSQL InjectionNextFiles and Resources Attacks

Last updated