I am trying to prevent session fixation and have read the following from the owasp website:
Session Fixation
Session IDs are to be generated b
Session IDs are to be generated by your application only.
That quote from OWASP PHP Security Cheat Sheet is wrong. Restricting the source of the session id has no effect on Session Fixation. An attacker can go to your site and just grab a valid session id.
The passage was fixed and gives now an effective method for preventing Session Fixation:
Invalidate the session id after user login (or even after each request) with session_regenerate_id().
By default PHP is prone to session fixation:
A simple attack scenario
Straightforward scenario:
- Mallory has determined that http://unsafe.example.com/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe.example.com/ is thus not secure.
- Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
- Alice is interested and visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
- Mallory visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.
http://en.wikipedia.org/wiki/Session_fixation
session.use_strict_mode
boolean
session.use_strict_mode
specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to0
(disabled).http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
Enabling session.use_strict_mode
prevents PHP from accepting ids of non-existing sessions and creating them. This does not prevent other types of session fixation though:
Attack using server generated SID
A misconception is that servers which only accept server generated session identifiers are safe from fixation. This is false.
Scenario:
- Mallory visits http://vulnerable.example.com/ and checks which SID is returned. For example, the server may respond: Set-Cookie: SID=0D6441FEA4496C2.
- Mallory is now able to send Alice an e-mail: "Check out this new cool feature on our bank, http://vulnerable.example.com/?SID=0D6441FEA4496C2."
- Alice logs on, with fixated session identifier SID=0D6441FEA4496C2.
- Mallory visits http://vulnerable.example.com/?SID=0D6441FEA4496C2 and now has unlimited access to Alice's account.
This can be prevented by session.use_only_cookies
, which is on by default.
You may still be vulnerable to yet more session fixation attacks through XSS, which you will have to counteract with measures other than PHP ini settings.