views:

92

answers:

1

I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user?

+7  A: 

I don't usually like to post links to Wikipedia, but here's a link to a very good explanation on Wikipedia...

Here's the meat of it:

  • Alice has an account at the bank http://unsafe/. Unfortunately, Alice is not very security savvy.

  • Mallory is out to get Alice's money from the bank.

  • Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.

    1. Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.
    2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
    3. Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
    4. Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.
RichieHindle
this is a really good answer
Tony