In a session fixation attack, the attacker tricks the user into using a specific session ID. When the user logs in to a web application using that ID, the attacker knows the victim’s valid session ID and can use it to gain access to the user’s account.
Session identifiers (SIDs), sometimes called session keys or session tokens, are character strings used to authenticate users in web applications. These strings are generated by an application after the user successfully logs in, presented to the user’s browser, and used across different pages or functions of the application, usually via a session cookie. Since the web browser shares the session cookie with the application in every HTTP request, the application can use the session identifier to recognize a known user.
If it weren’t for session identifiers, we would have to log in to web applications much more frequently than we do. However, a session identifier has the same weakness as a password: it is only secure while it is secret. As soon as a malicious user knows your session ID, they can get access to your account and use it for further attacks and potential privilege escalation.
In general, malicious hackers will try to get access to session identifiers to impersonate users and gain access to their accounts/privileges. There are several specific attack techniques targeting sessions:
Session fixation is not a specific type of vulnerability like SQL injection or cross-site scripting. An application may be vulnerable to session fixation attacks due to insufficient web application security and bad coding practices associated with session management:
Vulnerabilities that make an application susceptible to session fixation attacks are classified in the OWASP Top 10 2021 as A07:2021 – Identification and Authentication Failures.
A typical session fixation attack is performed as follows:
The difficulty and exact stages of an attack depend on several factors. For example, a lot depends on how the application handles session IDs. If the application accepts session IDs as URL parameters (via a GET request), a direct attack is trivial. If the application accepts session IDs from POST requests, the attacker may need to create a fake phishing site. Things get even more difficult (but not impossible) if session IDs are only accepted from cookies – the attacker would then need to use techniques such as cross-site scripting (XSS).
The following is an example of PHP code that is vulnerable to session fixation:
<?php
session_start();
if (isset($_GET['SESSIONID']))
{
session_id($_GET['SESSIONID']);
}
$_SESSION['logged_in'] = true;
?>
The SESSIONID
parameter is passed in the query string of the URL, for example, https://www.example.com/index.php?SESSIONID=b9e9cfd3f8b72e2af3e3c3f, and the server uses it to set the session ID. An attacker can simply send the victim a link with a specific SESSIONID
value and when this is opened, the victim's browser will use that value as the session ID.
To fix this code and prevent session fixation, you can use the session_regenerate_id function to generate a random session ID every time the user logs in or performs a sensitive action:
<?php
session_start();
if (isset($_POST['username']) && isset($_POST['password']))
{
if (login_successful())
{
session_regenerate_id(true);
$_SESSION['logged_in'] = true;
}
}
?>
The best way to detect if your application is vulnerable to session fixation depends on whether you use ready-made software or whether you develop software on your own.
There are several ways to prevent session fixation attacks by using secure coding practices:
Session fixation is a type of attack where an attacker gets the user to log in to an application using a specific session ID. After this is accomplished using social engineering or similar techniques, the attacker uses what is now a valid session ID to gain access to the user’s account.
Read more about session fixation attacks in our related blog article.
A successful session fixation attack can give an attacker access to the user’s account in the targeted web application. The consequences of session fixation are the same as for session hijacking and other attacks on sessions. The potential damage depends entirely on the functionality of the web application and the privileges of the user, so accessing an administrator account for a major web application may expose large amounts of highly sensitive information.
Read more about related session hijacking attacks in our blog article.
The only way to prevent session fixation is to follow best cybersecurity practices for developing web-based applications. The web application should only pass session IDs via session cookies. Session IDs should be changed immediately after user authentication, after a specific timeout, and before any important user actions.
Learn more about secure coding practices that help avoid attacks such as session fixation.