Preventing session fixation by ensuring the only source of creating a session should be a secure random generator

后端 未结 2 1674
耶瑟儿~
耶瑟儿~ 2021-02-01 10:37

I am trying to prevent session fixation and have read the following from the owasp website:

Session Fixation

Session IDs are to be generated b

2条回答
  •  遇见更好的自我
    2021-02-01 11:36

    By default PHP is prone to session fixation:

    A simple attack scenario

    Straightforward scenario:

    1. Mallory has determined that http://unsafe.example.com/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe.example.com/ is thus not secure.
    2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
    3. Alice is interested and visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
    4. Mallory visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.

    http://en.wikipedia.org/wiki/Session_fixation

    session.use_strict_mode boolean

    session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled).

    http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode

    Enabling session.use_strict_mode prevents PHP from accepting ids of non-existing sessions and creating them. This does not prevent other types of session fixation though:

    Attack using server generated SID

    A misconception is that servers which only accept server generated session identifiers are safe from fixation. This is false.

    Scenario:

    1. Mallory visits http://vulnerable.example.com/ and checks which SID is returned. For example, the server may respond: Set-Cookie: SID=0D6441FEA4496C2.
    2. Mallory is now able to send Alice an e-mail: "Check out this new cool feature on our bank, http://vulnerable.example.com/?SID=0D6441FEA4496C2."
    3. Alice logs on, with fixated session identifier SID=0D6441FEA4496C2.
    4. Mallory visits http://vulnerable.example.com/?SID=0D6441FEA4496C2 and now has unlimited access to Alice's account.

    This can be prevented by session.use_only_cookies, which is on by default.

    You may still be vulnerable to yet more session fixation attacks through XSS, which you will have to counteract with measures other than PHP ini settings.

提交回复
热议问题