Session Fixation Vulnerability in Web Based Apps

Ian Grigg iang at systemics.com
Tue Jun 17 18:19:39 EDT 2003 

Ben Laurie wrote:
> 
> James A. Donald wrote:

> > I do not see how this flaw can be avoided unless one
> > consciously takes special measures that the development
> > environment is not designed or intended to support.
> 
> The obvious answer is you always switch to a new session after login.
> Nothing cleverer is required, surely?

Having read all these discussions and having looked
in my own PHP code and the PHP documentation, I have
to agree with James D.  This cleverness challenges!

I knew how to start and maintain a session, I think.

(That was no easy task.  The PHP documentation is
a mess, and over the last several versions different
ways started and stopped working...  I'm sure the
obvious answer is to use a better tool, but I'm a bit
stuck with a huge dose of reality at the moment, being
one of the million or so PHP developers, and can't junk
the man-years of habit just this month :-)

I just spent an hour or so skimming the doco for PHP,
and apparently, there is an ability to set another
session id with a call called session_id(), oddly
enough :-)

Which only leaves the problems of a) inventing a new
session id, b) rewriting the code so that it carefully
implements the unclever notion of setting this at the
new login, c) deleting this at logout, and finally d)
praying that this works as expected.

On the face of it, PHP doesn't appear to have much
support for this.  It will require each developer to
(re-)implement their own solution.  I'd love to be
wrong in this:  does anyone know how the easy way to
secure a PHP website against session_fixation?  Or is
it another case of "you gotta write it all yourself
again?"

Rich Salz wrote:
> From
>     http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25
> 
> The following environment variables are exported into SSI files
> and CGI scripts:
>     SSL_SESSION_ID The hex-encoded SSL session id
> 
> Care to try again?

Please.  How does one get access to that in PHP?  That
would be a wonderful answer to a) above.  Which would
only leave me with b) thru d)   :-(

PS:  Steve, thanks for the aviso!  Very interesting
attack!

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list