PHP session fixation attacks
Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person’s session identifier (SID). Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.
Example of such an attack: Lets take an example of a banking website which provides login to access banking features. (this can be any site which allows users to login).
EG: http://www.poorbanking.com
1) Hacker
Creates a very a link and sends visitors to the site as http://www.poorbanking.com/index.php?PHPSESSID=1234
Lets assume PHPSESSID is the name of the cookie / variable used to store session information. It is very easy for anyone to find this by just visiting the site once.
2) Hacker sends link to the target user.
http://www.poorbanking.com/index.php?PHPSESSID=1234 by email or placed in a blog etc.
3) Victim
Sees the link and clicks on it. The site looks genuine and the victim logs in to the site. At this stage the PHPSESSID is set to PHPSESSID=1234 and user is logged in.
4) The happy hacker
Hacker can keep checking if they can login by simply going to http://www.poorbanking.com/showmeaccount.php?PHPSESSID=1234
where showmeaccount.php is the page after login. They can see that once the user has logged in they can easily get access to the page.
Work around to this problem
Just prior to setting such a session variable, a call to session_regenerate_id() can help to protect against a session fixation attack.
See more information at http://en.wikipedia.org/wiki/Session_fixation
Useful tip.
Another useful tip (in addition) is to check the $_SERVER[‘HTTP_USER_AGENT’] string, and if it’s changed between requests, you may as well regenerate the id again.
Thanks for the pointer. This is usually missed out by developers.