Security Leak: Session Fixation vulnerability
What is a Session?
HTTP is a stateless protocol. Each request to the server is independent and does not contain any information about the user like who has requested which page or any information/state of the client machine.
ASP.NET Session state can be used to store values that will persist across page requests. ASP.NET session state identifies requests from the same browser as a session.This session is limited to some time, then it expires and renew again.
Whenever the Session starts, a cookie by the name of ASP.NET_SessionId identifier is created which stores the values of session and can be retrieved by calling the identifier. By default, if a user is inactive for 20 minutes, the Session will expire and all items that had been stored in the Session will be discarded.
There are methods to kill the session programmatically like
These methods can only end the session but does not delete the cookie.
What is Session Fixation?
As the security of cookie is dependent on the client machine, there is a chance of hacking/stealing this cookie which might reveal the session identifier. Unlikely but naive,Another way the hacker can steal the session identifier is from the query string,if session identifier is appended to the URL. If stolen, An attacker can impersonate a user by using the authenticated session ID (SID).
Lets create the basic flow to understand session fixation.
- User visited a site having a valid ASP.NET_SessionId like ‘abcdefg’ .
- User logs in with his valid credentials and perform some transaction. Here, the session identifier does not change ‘abcdefg’.
- Hacker creates or obtains a valid session identifier.
- Hacker impersonates the user and continue as the user.
- Hacker can continue to impersonate the victim user until the SID expires.
Another way is where the SID is appended to the URL as a query parameter. In a phishing mail, which contains a URL, SID can be appended which is only known to the hacker. Once the user logs in, the hacker can use this SID, which is now associated with an authenticated session, to impersonate the user. So please avoid clicking any links on spam mails.
How can it be fixed?
There are many countermeasures available, One of them is to
- Assign a new session identifier on login and,
- Remove the session identifier once the user logs out.
- Regenerate session identifier on each request, although this is not always possible.
- As a precautionary measure and applicable for small sites, Enable Https.
- A log out function, which states that a session should not allow further requests. Not a very secure option though.
- Beware of the suspicious referrers,the page that contained the link that you followed to get to current page.
We have countermeasures for session fixation but still not a fool-proof strategy. If a hacker is improvising, we should also improvise on countermeasures. I suggest to always prepare a strategy to foresee any security leaks and prepare the precautionary measures.