session fixation
- by markiv
Hi All,
I am new to web development, and trying to get a hold on security issues.
I went through this article on http://guides.rubyonrails.org/security.html
these are some of the steps the author has mentioned how an attacker fixes session.
1. The attacker creates a valid session id: He loads the login page of the web application where he wants to fix the session, and takes the session id in the cookie from the response (see number 1 and 2 in the image).
2. He possibly maintains the session. Expiring sessions, for example every 20 minutes, greatly reduces the time-frame for attack. Therefore he accesses the web application from time to time in order to keep the session alive.
3. Now the attacker will force the user’s browser into using this session id (see number 3 in the image). As you may not change a cookie of another domain (because of the same origin policy), the attacker has to run a JavaScript from the domain of the target web application. Injecting the JavaScript code into the application by XSS accomplishes this attack. Here is an example: <script>?document.cookie="_session_id=16d5b78abb28e3d6206b60f22a03c8d9";?</script>. Read more about XSS and injection later on.
4. The attacker lures the victim to the infected page with the JavaScript code. By viewing the page, the victim’s browser will change the session id to the trap session id.
5. As the new trap session is unused, the web application will require the user to authenticate.
6. From now on, the victim and the attacker will co-use the web application with the same session: The session became valid and the victim didn’t notice the attack.
I dont understand couple of points.
i) why is user made to login in step5, since session is sent through.
ii) I saw possible solutions on wiki, like user properties check and others
why cant we just reset the session for the user whoever is login in when they enter username and password in step5?
Thanks in advance
Markiv
