About Session Fixation

Two days ago, I transferred an article to the pst mail list about re-generating the session under the struts 2 framework, which caused some discussions. I think it is necessary to remind programmers here, maybe they have long forgotten this threat.

JSESSIONID Regeneration in Struts 2

In fact, this isSession Fixation.

Session FixationThe translation is "Session attack completion", which may be common in old applications. However, as web applications become increasingly complex, this problem is very rare.

First understand this attack, for example:

1. You paid for a car.
2. You copied the car key.
3. You sold the car to a big customer.
4. I spent money to buy a 2-handed car. Then, one day you took advantage of his absence and drove the car away with the copied key!

This process isSession FixationThe car key isSession ID.

The nature of such problems lies in:After authentication, the WEB application does not modify or update the session. As a result, the session before authentication can still be used.

If attackersAdvanceIf you can obtain the session ID, you canSpoof usersUse this session ID for authentication. After Authentication,The session ID remains unchanged.But the session becomes an authenticated session, which can be exploited by attackers.You can directly use this session IDPass system authentication as a user.

In the Web environment, when a user browses a page, the server generates a session, and the session ID is placed on the client, such as in the browser URL or cookie. If the user holds this session ID, the server can find his session. After the user enters the user name and password, the system authenticates the session. If the authentication succeeds, this session is an authenticated session, and the server will know that the user has been authenticated. the user does not need to enter the user name and password each time they access the authentication page.


For example, the lqqm Forum places the session ID in the url.


Common ExploitationSession FixationThe method is generally to send a link to the email, trick the user into logging on after clicking, so that the session passes authentication, for example:
Http://www.bkjia.com/auth? Session = xxxxxxx
To defend against such attacks, it is very simple, that isA new session is generated after authentication.You can, evenAdd changeThe current session can achieve this purpose.

Like the lqqm forum, the session will be rewritten immediately after login. So is tomcat.

Currently, most complex WEB applications, such as websites and forums, usually put session IDs in cookies. After a user logs on, there are usually many more things in cookies, these extra features can also prevent users from being affected by sesssion fixation attacks.


However, session fixation attacks, as a type of vulnerability, are not limited to user logon, as long as they are anyAuthenticationThis threat must be taken into account.