Skip to main content
- Session ID : -
- Represents user - important as username password
- Session ID should be -
- Unique
- Random
- Unpredictable
- Long
- HTTPS transport
- Expiry date of session.
- Session Fixation: -
- Server provides an anonymous session ID for application before login and after login it should be changed always.
- Session fixation vulnerability occurs when anonymous session ID is upgraded to login session ID (for login, session ID does not change).
- Sometimes the server accepts arbitrary session IDs from users as well.
- Demo: -
- Session mgmt - session ID in url
- ID will be available in log files of the server if it is in url
- Need an application to do a demo, put in we: -
- https://github.com/appingmap/SessionFixation
Comments
Post a Comment