Sunday, September 06, 2009

Session Fixation

Recently I come to know about a new security vulnerability (new to me) - Session Fixation ( http://www.owasp.org/index.php/Session_Fixation ). Somebody could already start a session (may be by accessing a non-secure/less previleged resource) and trick you to login to the application and use it. Then you are vulnerable. He could have saved the sessionid before handing over to you and use it from another machine. If you close the browser after your usage (without loggint out - which many people do), he could use it infinitely long. If you logout after use he could use only as long as you are logged in.
You could prevent this by calling session.invalidate before authentication, in the authentication method. If you are using your application server's authentication framework (that is what we are lold - not to write our own security code), then you need to verify that your application server does that.
In ASP.NET platform it is very difficult to prevent as ASP.NET reuses the same sessionid even if you create new session by calling session.invalidate. There are some known solutions available ( http://www.owasp.org/index.php/Session_Fixation_Protection )

No comments: