In computer network security, session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate (find or set) another person's session identifier. Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.
Attack scenarios[edit]
Alice has an account at the bank
http://unsafe.example.com/
How to download microsoft word in laptop. Mallory intends to target Alice's money from her bank.
Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.
Session and persistent cookies. There are session cookies and persistent cookies. Session cookies only last until you close your browser. We use session cookies for a variety of reasons, including to learn more about your use of our website during one single browser session and to help you to use our website more efficiently. Django cookie 与 session Cookie 是存储在客户端计算机上的文本文件,并保留了各种跟踪信息。 识别返回用户包括三个步骤: 服务器脚本向浏览器发送一组 Cookie。例如:姓名、年龄或识别号码等。 浏览器将这些信息存储在本地计算机上,以备将来使用。. Secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text. Session(options) Create a session middleware with the given options. Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side. Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work.
A simple attack scenario[edit]
Straightforward scenario:
- Mallory has determined that
http://unsafe.example.com/
accepts any session identifier, accepts session identifiers from query strings and has no security validation.http://unsafe.example.com/
is thus not secure. - Mallory sends Alice an e-mail: 'Hey, check this out, there is a cool new account summary feature on our bank,
http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID
'. Mallory is trying to fixate the SID toI_WILL_KNOW_THE_SID
. - Alice is interested and visits
http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID
. The usual log-on screen pops up, and Alice logs on. - Mallory visits
http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID
and now has unlimited access to Alice's account.
Attack using server generated SID[edit]
A misconception is that if a server only accepts server-generated session identifiers, it is safe from fixation. This is false.
Scenario:
- Mallory visits
http://vulnerable.example.com/
and checks which SID is returned. For example, the server may respond:Set-Cookie: SID=0D6441FEA4496C2
. - Mallory is now able to send Alice an e-mail: 'Check out this new cool feature on our bank,
http://vulnerable.example.com/?SID=0D6441FEA4496C2
.' - Alice logs on, with fixated session identifier
SID=0D6441FEA4496C2
. - Mallory visits
http://vulnerable.example.com/?SID=0D6441FEA4496C2
and now has unlimited access to Alice's account.
Attacks using cross-subdomain cookie[edit]
This type of attack is similar to a cross-site cookie attack except that, it does not rely on the vulnerability of the user's browser. Rather, it relies on the fact that wildcard cookies can be set by a subdomain and, that those cookies may affect other subdomains.
Scenario:
- A web site
www.example.com
hands out subdomains to untrusted third parties - One such party, Mallory, who now controls
evil.example.com
, lures Alice to his site - A visit to
evil.example.com
sets a session cookie with the domain.example.com
on Alice's browser - When Alice visits
www.example.com
this cookie will be sent with the request and Alice will have the session specified by Mallory's cookie. - If Alice now logs on, Mallory can use her account.
When this attack is complete, Mallory can gain access to
www.example.com
as Alice.It is not essential that a user login to exploit session fixation attacks[1] and, although these unauthenticated attacks are not constrained to cross-sub-domain cookie attacks, the implications of sub-domain attacks are relevant to these unauthenticated scenarios. For example, Mallory may provide a URL from their evil site, fixating a session into an unauthenticated scenario, and use those techniques to exploit their target. This includes scenarios exploiting both the unauthenticated scenarios (e.g. forms or registration) as well as the ability to feed the user an established session to bypass the login completely.
Consider, for example, that Mallory may create a user A1ice on www.example.com and login that user to capture a current, valid session identifier. Mallory then entraps Alice with a URL from evil.example.com which fixates that session cookie in Alice's browser (as described above) and redirects to www.example.com for finalizing a particular transaction (or, in fact, broader use). Mallory is thus able to ghost the session from their original login, scraping data and executing operations as 'A1ice' on 'www.example.com'. If Alice was successfully duped and saved her credit card to the account, Mallory might then make purchases using that card.
![Localstorage Localstorage](https://static.javatpoint.com/difference/images/session-vs-cookies2.png)
Countermeasures[edit]
Do not accept session identifiers from GET / POST variables[edit]
Session identifiers in URL (query string, GET variables) or POST variables are not recommended as they simplify this attack – it is easy to make links or forms that set GET / POST variables.
- The SID is leaked to other people as users cut & paste 'interesting links' from the address bar into chats, forums, communities, etc.
- The SID is stored in many places (browser history log, web server log, proxy logs, ..)
Note: Cookies are shared between tabs and popped up browser windows. If your system requires to be hit with the same domain (www.example.com/?code=site1 and www.example.com/?code=site2 ), cookies may conflict with one another between tabs.
It may be required to send the session identifier on the URL in order to overcome this limitation. If possible use site1.example.com or site2.example.com so there is no domain conflicts in the cookies. This may incur costs with extra SSL certificates.
This behavior can be seen on many sites by opening another tab and trying to do side by side search results. One of the sessions will become unusable. How to put an imovie project on a flash drive.
Best solution: Identity confirmation[edit]
This attack can be largely avoided by changing the session ID when users log in. If every request specific to a user requires the user to be authenticated with ('logged into') the site, an attacker would need to know the id of the victim's log-in session. When the victim visits the link with the fixed session id, however, they will need to log into their account in order to do anything 'important' as themselves. At this point, their session id will change, and the attacker will not be able to do anything 'important' with the anonymous session ID.
A similar technique can be used to solve the phishing problem. If the user protects their account with two passwords, then it can be solved to a great extent.
This technique is also useful against cross-site request forgery attacks.
Solution: Store session identifiers in HTTP cookies[edit]
The session identifier on most modern systems is stored by default in an HTTP cookie, which has a moderate level of security as long as the session system disregards GET/POST values.[citation needed] However, this solution is vulnerable to cross-site request forgery, and it does not meet the statelessness requirement of REST.
Solution: Utilize SSL / TLS session identifier[edit]
When enabling HTTPS security, some systems allow applications to obtain the SSL / TLS session identifier. Use of the SSL/TLS session identifier is very secure, but many web development languages do not provide robust built-in functionality for this.
Regenerate SID on each request[edit]
A countermeasure against session fixation is to generate a new session identifier (SID) on each request. If this is done, then even though an attacker may trick a user into accepting a known SID, the SID will be invalid when the attacker attempts to re-use the SID. Implementation of such a system is simple, as demonstrated by the following:
- Get previous Session Identifier
OLD_SID
from HTTP request. - If
OLD_SID
is null, empty, or no session with SID=OLD_SID
exists, create a new session. - Generate new session identifier
NEW_SID
with a secure random number generator. - Let session be identified by SID=
NEW_SID
(and no longer by SID=OLD_SID
) - Transmit new SID to client.
Example:
If Mallory successfully tricks Alice into visiting
http://victim.example.com/?SID=I_KNOW_THE_SID
, this HTTP request is sent to victim.example.com
:victim.example.com
accepts SID=I_KNOW_THE_SID
, which would normally be bad. However, victim.example.com
is secure because it performs session regeneration. victim.example.com
gets the following response:Alice will now use
SID=3134998145AB331F
that is unknown to Mallory, and SID=I_KNOW_THE_SID
is invalid. Mallory is thus unsuccessful in the session fixation attempt.Unfortunately session regeneration is not always possible. Problems are known to occur when third-party software such as ActiveX or Java applets are used, and when browser plugins communicate with the server. Third-party software could cause logouts, or the session could be split into two separate sessions.
If the implementation of sessions includes transmitting the SID through GET or POST variables, then this might also render the 'back' button in most browsers unusable, as the user would then be using an older, invalid, session identifier from a previous request.
Accept only server-generated SIDs[edit]
One way to improve security is not to accept session identifiers that were not generated by the server. However, as noted above, this does not prevent all session fixation attacks.
Logout function[edit]
A logout function is useful as it allows users to indicate that a session should not allow further requests. Thus attacks can only be effective while a session is active. Note that the following code performs no Cross-site request forgery checks, potentially allowing an attacker to force users to log out of the web application.
Time-out old SIDs[edit]
Cookie Sessionstorage And Localstorage
This defense is simple to implement and has the advantage of providing a measure of protection against unauthorized users accessing an authorized user's account by using a machine that may have been left unattended.
Store a session variable containing a time stamp of the last access made by that SID. When that SID is used again, compare the current timestamp with the one stored in the session. If the difference is greater than a predefined number, say 5 minutes, destroy the session. Otherwise, update the session variable with the current timestamp.
Destroy session if Referrer is suspicious[edit]
When visiting a page, most web browsers will set the Referrer header – the page that contained the link that you followed to get to this page.
When the user is logged into a site that is not likely to be linked to from outside that site (e.g., banking websites, or webmail), and the site is not the kind of site where users would remain logged in for any great length of time, the Referrer should be from that site. Any other Referrer should be considered suspicious. However, if the originating request is from a HTTPS page, then the referrer will be stripped, so you cannot depend on this security system.
For example,
http://vulnerable.example.com/
could employ the following security check:Verify that additional information is consistent throughout session[edit]
One way to further improve security is to ensure that the user appears to be the same end user (client). This makes it a bit harder to perform session fixation and other attacks.
As more and more networks begin to conform to RFC 3704 and other anti-spoofing practices, the IP address becomes more reliable as a 'same source' identifier. Therefore, the security of a web site can be improved by verifying that the source IP address is consistent throughout a session.
This could be performed in this manner:
However, there are some points to consider before employing this approach.
- Several users may share one IP address. It is not uncommon for an entire building to share one IP address using NAT.
- One user may have an inconsistent IP address. This is true for users behind proxies (such as AOL customers). It is also true for some mobile/roaming users, as well as users that are behind load balanced Internet connections. Users with IPv6 Privacy Extensions enabled may also change their IPv6 privacy addresses at any time.
- It will not work reliably with dual stack clients as requests will move between IPv4 and IPv6.
- It will not work reliably with mobile users, as mobile users roam between addresses as well.
For some sites, the added security outweighs the lack of convenience, and for others it does not.
User Agent[edit]
Browsers identify themselves by 'User-Agent' HTTP headers. This header does not normally change during use; it would be extremely suspicious if that were to happen. A web application might make use of User-Agent detection in attempt to prevent malicious users from stealing sessions. This however is trivial to bypass, as an attacker can easily capture the victim's user-agent with their own site and then spoof it during the attack. This proposed security system is relying on security through obscurity.
However, there are some points to consider before employing this approach.
- Several users may have same browser User Agent in Internet café.
- Several users may have same default browser (ex: Internet Explorer 6 in Windows XP SP3 or mini browser in mobile phone).
But User Agent may change legally in few cases. Following examples are the same users.
- A smartphone whose screen rotated since the last request
Mozilla/5.0 (Linux; U; Android 2.2; en-us; DROID2 Build/VZW) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 854X480 motorola DROID2
Mozilla/5.0 (Linux; U; Android 2.2; en-us; DROID2 Build/VZW) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 480X854 motorola DROID2
- Internet Explorer compatibility mode:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- A user accessing a web site through a proxy distributed across multiple servers, not all of which are upgraded to the latest version of the proxy software
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (FlipboardProxy/0.0.5; +http://flipboard.com/browserproxy)
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (FlipboardProxy/1.1; +http://flipboard.com/browserproxy)
Defense in depth[edit]
Defense in depth is to combine several countermeasures. The idea is simple: if one obstacle is trivial to overcome, several obstacles could be very hard to overcome.
A defense in depth strategy could involve:
- Enable HTTPS (to protect against other problems)
- Correct configuration (do not accept external SIDs, set time-out, etc.)
- Perform session_regeneration, support log-out, etc.
HTTP referrers are not passed with SSL/TLS (HTTPS).
The following PHP script demonstrates several such countermeasures combined in a defense in depth manner:
Note that this code checks the current REMOTE_ADDR (the user's IP address) and User-agent against the REMOTE_ADDR and User-agent of the previous request. This might be inconvenient for some sites as discussed above.
See also[edit]
References[edit]
- ^Article about unauthenticated Session-Fixation attacks
External links[edit]
- Session Fixation Vulnerability in Web-based Applications (PDF)
- Session Fixation Video example
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Session_fixation&oldid=1047608893'
In computer science and networking in particular, a session is a temporary and interactive information interchange between two or more communicating devices, or between a computer and user (see login session). A session is established at a certain point in time, and then ‘torn down’ - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.
An established session is the basic requirement to perform a connection-oriented communication. A session also is the basic step to transmit in connectionless communication modes. However, any unidirectional transmission does not define a session.[1]
Communication Transport may be implemented as part of protocols and services at the application layer, at the session layer or at the transport layer in the OSI model.
- Application layer examples:
- HTTP sessions, which allow associating information with individual visitors
- A telnet remote login session
- Session layer example:
- A Session Initiation Protocol (SIP) based Internet phone call
- Transport layer example:
- A TCP session, which is synonymous to a TCP virtual circuit, a TCP connection, or an established TCP socket.
In the case of transport protocols that do not implement a formal session layer (e.g., UDP) or where sessions at the application layer are generally very short-lived (e.g., HTTP), sessions are maintained by a higher level program using a method defined in the data being exchanged. For example, an HTTP exchange between a browser and a remote host may include an HTTP cookie which identifies state, such as a unique sessions ID, information about the user's preferences or authorization level.
HTTP/1.0 was thought to only allow a single request and response during one Web/HTTP Session. Protocol version HTTP/1.1 improved this by completing the Common Gateway Interface (CGI), making it easier to maintain the Web Session and supporting HTTP cookies and file uploads.
Most client-server sessions are maintained by the transport layer - a single connection for a single session. However each transaction phase of a Web/HTTP session creates a separate connection. Maintaining session continuity between phases requires a session ID. The session ID is embedded within the <A HREF> or <FORM> links of dynamic web pages so that it is passed back to the CGI. CGI then uses the session ID to ensure session continuity between transaction phases. One advantage of one connection-per-phase is that it works well over low bandwidth (modem) connections.
Software implementation[edit]
TCP sessions are typically implemented in software using child processes and/or multithreading, where a new process or thread is created when the computer establishes or joins a session. HTTP sessions are typically not implemented using one thread per session, but by means of a database with information about the state of each session. The advantage with multiple processes or threads is relaxed complexity of the software, since each thread is an instance with its own history and encapsulated variables. The disadvantage is large overhead in terms of system resources, and that the session may be interrupted if the system is restarted.
When a client may connect to any server in a cluster of servers, a special problem is encountered in maintaining consistency when the servers must maintain session state. The client must either be directed to the same server for the duration of the session, or the servers must transmit server-side session information via a shared file system or database. Otherwise, the client may reconnect to a different server than the one it started the session with, which will cause problems when the new server does not have access to the stored state of the old one.
Server-side web sessions[edit]
Server-side sessions are handy and efficient, but can become difficult to handle in conjunction with load-balancing/high-availability systems and are not usable at all in some embedded systems with no storage. The load-balancing problem can be solved by using shared storage or by applying forced peering between each client and a single server in the cluster, although this can compromise system efficiency and load distribution.
A method of using server-side sessions in systems without mass-storage is to reserve a portion of RAM for storage of session data. This method is applicable for servers with a limited number of clients (e.g. router or access point with infrequent or disallowed access to more than one client at a time).
Client-side web sessions[edit]
Client-side sessions use cookies and cryptographic techniques to maintain state without storing as much data on the server. When presenting a dynamic web page, the server sends the current state data to the client (web browser) in the form of a cookie. The client saves the cookie in memory or on disk. With each successive request, the client sends the cookie back to the server, and the server uses the data to 'remember' the state of the application for that specific client and generate an appropriate response.
This mechanism may work well in some contexts; however, data stored on the client is vulnerable to tampering by the user or by software that has access to the client computer. To use client-side sessions where confidentiality and integrity are required, the following must be guaranteed:
- Confidentiality: Nothing apart from the server should be able to interpret session data.
- Data integrity: Nothing apart from the server should manipulate session data (accidentally or maliciously).
- Authenticity: Nothing apart from the server should be able to initiate valid sessions.
To accomplish this, the server needs to encrypt the session data before sending it to the client, and modification of such information by any other party should be prevented via cryptographic means.
Transmitting state back and forth with every request is only practical when the size of the cookie is small. In essence, client-side sessions trade server disk space for the extra bandwidth that each web request will require. Moreover, web browsers limit the number and size of cookies that may be stored by a web site. To improve efficiency and allow for more session data, the server may compress the data before creating the cookie, decompressing it later when the cookie is returned by the client.
HTTP session token[edit]
A session token is a unique identifier that is generated and sent from a server to a client to identify the current interaction session. The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries. The reason to use session tokens is that the client only has to handle the identifier—all session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier. Examples of the names that some programming languages use when naming their HTTP cookie include JSESSIONID (JSP), PHPSESSID (PHP), CGISESSID (CGI), and ASPSESSIONID (ASP).
Session management[edit]
In human–computer interaction, session management is the process of keeping track of a user's activity across sessions of interaction with the computer system.
Typical session management tasks in a desktop environment include keeping track of which applications are open and which documents each application has opened, so that the same state can be restored when the user logs out and logs in later. For a website, session management might involve requiring the user to re-login if the session has expired (i.e., a certain time limit has passed without user activity). It is also used to store information on the server-side between HTTP requests.
Desktop session management[edit]
A desktop session manager is a program that can save and restore desktop sessions. A desktop session is all the windows currently running and their current content. Session management on Linux-based systems is provided by X session manager. On Microsoft Windows systems, session management is provided by the Session Manager Subsystem (smss.exe); user session functionality can be extended by third-party applications like twinsplay.
Browser session management[edit]
Session management is particularly useful in a web browser where a user can save all open pages and settings and restore them at a later date or on a different computer (see data portability).
To help recover from a system or application crash, pages and settings can also be restored on next run. Google Chrome, Mozilla Firefox, Internet Explorer, OmniWeb and Opera are examples of web browsers that support session management. Session management is often managed through the application of cookies.
Web server session management[edit]
Hypertext Transfer Protocol (HTTP) is stateless: a client computer running a web browser must establish a new Transmission Control Protocol (TCP) network connection to the web server with each new HTTP GET or POST request. The web server, therefore, cannot rely on an established TCP network connection for longer than a single HTTP GET or POST operation. Session management is the technique used by the web developer to make the stateless HTTP protocol support session state. For example, once a user has been authenticated to the web server, the user's next HTTP request (GET or POST) should not cause the web server to ask for the user's account and password again. For a discussion of the methods used to accomplish this see HTTP cookie and Session ID
In situations where multiple web servers must share knowledge of session state (as is typical in a cluster environment) session information must be shared between the cluster nodes that are running web server software. Methods for sharing session state between nodes in a cluster include: multicasting session information to member nodes (see JGroups for one example of this technique), sharing session information with a partner node using distributed shared memory or memory virtualization, sharing session information between nodes using network sockets, storing session information on a shared file system such as a distributed file system or a global file system, or storing the session information outside the cluster in a database.
If session information is considered transient, volatile data that is not required for non-repudiation of transactions and does not contain data that is subject to compliance auditing (in the U.S. for example, see the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act for examples of two laws that necessitate compliance auditing) then any method of storing session information can be used. However, if session information is subject to audit compliance, consideration should be given to the method used for session storage, replication, and clustering.
Cookie Session Npm
In a service-oriented architecture, Simple Object Access Protocol or SOAP messages constructed with Extensible Markup Language (XML) messages can be used by consumer applications to cause web servers to create sessions.
Session management over SMS[edit]
Just as HTTP is a stateless protocol, so is SMS. As SMS became interoperable across rival networks in 1999,[2] and text messaging started its ascent towards becoming a ubiquitous global form of communication,[3] various enterprises became interested in using the SMS channel for commercial purposes. Initial services did not require session management since they were only one-way communications (for example, in 2000, the first mobile news service was delivered via SMS in Finland). Today, these applications are referred to as application-to-peer (A2P) messaging as distinct from peer-to-peer (P2P) messaging. The development of interactive enterprise applications required session management, but because SMS is a stateless protocol as defined by the GSM standards,[4] early implementations were controlled client-side by having the end-users enter commands and service identifiers manually.
See also[edit]
References[edit]
- ^Sessionless-oriented protocol and session-oriented protocol
- ^InterCarrier Messaging Guidelines(PDF), CTIA, retrieved 2018-06-02
- ^Hppy bthdy txt! BBC News World Edition, http://news.bbc.co.uk/2/hi/uk_news/2538083.stm 3 December 2002.
- ^GSM Doc 28/85 'Services and Facilities to be provided in the GSM System' rev2, June 1985
External links[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Session_(computer_science)&oldid=1031365701'