What is Session Fixation?
Definition
Session Fixation is one of the vulnerabilities that can occur in web application security. This vulnerability refers to a situation where an attacker gains access to an authenticated session by controlling the user's session identifier.
Points of Vulnerability
Pages that issue sessions
Pages that require a session (after authorization)
Vulnerability Verification Methods
If the issued session remains the same even after logging out and logging back in.
If the session before logging in and the session after logging in are the same.
If the session is not reissued (no "set cookie" in the response).
Attack Method
Attack Scenario
The attacker logs in and creates a session identifier.
The attacker forcefully delivers this session identifier to the user.
The user logs in to the web application and starts a session.
Since the session is already the same, the attacker can access the authenticated session by refreshing.
Attack Scenario Process
Detailed Explanation
The attacker sends an authentication request to the web application.
The web application generates a session identifier for authentication.
The session identifier is delivered to the user and is used when starting a session.
The attacker forcefully delivers a previously generated malicious session identifier to the user.
When the user starts a session, they unknowingly use the malicious session identifier provided by the attacker.
The web application performs authentication verification and considers the malicious session identifier as valid.
The attacker gains access to the authenticated session using the malicious session identifier.
Countermeasures
Randomness of Session Identifiers: Session identifiers should be generated randomly and should be difficult to predict.
Changing Session Identifiers: Session identifiers should be changed whenever a user is authenticated or gains authorization.
Secure Session Management: Session identifiers should be securely stored. If using cookies, set the security attributes 'Secure' and 'HttpOnly' to ensure secure transmission and protection against client-side scripts.
Session Monitoring and Logging: Monitor and log session activity in the system to detect and respond to suspicious activities.