05 Session-Management
05 Session-Management
SESSION MANAGEMENT
BROKEN AUTHENTICATION AND SESSION MANAGEMENT
1. Credential Management
2. Session Management
3. The rest (whatever doesn’t fit
in the first 2 categories)
BROKEN AUTHENTICATION AND SESSION MANAGEMENT
1. Credential Management
2. Session Management
3. The rest (whatever doesn’t fit
in the first 2 categories)
The website should remember you It should remember you even if you
across pages on the site closed the browser window
THIS IS WHERE
SESSIONS COME IN
SESSIONS
THIS IS WHERE
SESSIONS COME IN
Session hijacking
refers to exploiting This involves
a user’s session to getting access to
gain unauthorized the user’s session id
access to their and their session
data
SESSION MANAGEMENT
Session setup
Session fixation
Session entrance
SESSION MANAGEMENT
Session setup
Session setup
Session fixation
Session entrance
SESSION MANAGEMENT
Session fixation
Future lectures will talk about
session fixation in some detail
Session entrance
How the attacker uses the session is
website dependent and out of the scope of
this class
SESSION MANAGEMENT
Session hijacking
1. URL parameters
2. Hidden form fields
3. Cookies
Cookies SESSION MANAGEMENT
URL parameters
Of these using cookies is
Hidden form fields
considered the least insecure
Example12-SessionMgmt-sessionsWithoutCookies-page2.php?PHPSESSID=a318267116025e2c24bd8b93a8ddb5a3
SESSIONS WITHOUT COOKIES
<a href=“Example12-SessionMgmt-sessionsWithoutCookies-page2.php">
Example12-SessionMgmt-sessionsWithoutCookies-page2.php?PHPSESSID=a318267116025e2c24bd8b93a8ddb5a3
<html lang="en">
<body>
<?php
echo '<h3>Page 1</h3>';
if (!isset($_SESSION['visits'])) {
$_SESSION['visits'] = 1;
} else {
$_SESSION['visits']++;
}
echo 'You have visited this site: ' . $_SESSION['visits'] . ' times <br>';
echo 'Session name: ' . session_name() . '<br>';
echo 'Session id: ' . session_id() . '<br><br>';
echo 'SID: ' . SID . '<br><br>';
echo "<a href=\"Example12-SessionMgmt-sessionsWithoutCookies-page2.php\"> Next page </a>";
?>
</body>
</html>
SESSIONS WITHOUT COOKIES
<?php
// Start the session, this should be before the <html> tag.
ini_set("session.use_cookies", 0);
ini_set("session.use_only_cookies", 0);
ini_set("session.use_trans_sid", 1);
session_start();
?>
<html lang="en">
<body>
echo 'You have visited this site: ' . $_SESSION['visits'] . ' times <br>';
echo 'Session name: ' . session_name() . '<br>';
?>
echo
echo
echo Start the session as usual!
'Session id: ' . session_id() . '<br><br>';
'SID: ' . SID . '<br><br>';
"<a href=\"/course/Example23-sessionsWithoutCookies-page2.php\"> Next page </a>";
</body>
</html>
SESSIONS WITHOUT COOKIES
<?php
// Start the session, this should be before the <html> tag.
ini_set("session.use_cookies", 0);
<html lang="en">
<body>
<?php
echo '<h3>Page 1</h3>';
if (!isset($_SESSION['visits'])) {
$_SESSION['visits'] = 1;
} else {
$_SESSION['visits']++;
}
echo 'You have visited this site: ' . $_SESSION['visits'] . ' times <br>';
echo 'Session name: ' . session_name() . '<br>';
echo 'Session id: ' . session_id() . '<br><br>';
echo 'SID: ' . SID . '<br><br>';
echo "<a href=\"/course/Example23-sessionsWithoutCookies-page2.php\"> Next page </a>";
?>
</body>
</html>
SESSIONS WITHOUT COOKIES
<?php
// Start the session, this should be before the <html> tag.
ini_set("session.use_cookies", 0);
<html lang="en">
if (!isset($_SESSION['visits'])) {
$_SESSION['visits'] = 1;
} else {
$_SESSION['visits']++;
}
echo 'You have visited this site: ' . $_SESSION['visits'] . ' times <br>';
echo 'Session name: ' . session_name() . '<br>';
echo 'Session id: ' . session_id() . '<br><br>';
echo 'SID: ' . SID . '<br><br>';
echo "<a href=\"Example12-SessionMgmt-sessionsWithoutCookies-page2.php\"> Next page </a>";
?>
</body>
</html>
SESSIONS WITHOUT COOKIES
<?php
// Start the session, this should be before the <html> tag.
ini_set("session.use_cookies", 0);
ini_set("session.use_only_cookies", 0);
if (!isset($_SESSION['visits'])) {
$_SESSION['visits'] = 1;
} else {
$_SESSION['visits']++;
}
echo 'You have visited this site: ' . $_SESSION['visits'] . ' times <br>';
echo 'Session name: ' . session_name() . '<br>';
echo 'Session id: ' . session_id() . '<br><br>';
echo 'SID: ' . SID . '<br><br>';
echo "<a href=\"Example12-SessionMgmt-sessionsWithoutCookies-page2.php\"> Next page </a>";
?>
</body>
</html>
SESSIONS WITHOUT COOKIES
<?php
// Start the session, this should be before the <html> tag.
ini_set("session.use_cookies", 0);
ini_set("session.use_only_cookies", 0);
ini_set("session.use_trans_sid", 1);
session_start();
?>
<html lang="en">
<body>
<?php
echo '<h3>Page 1</h3>';
if (!isset($_SESSION['visits'])) {
$_SESSION['visits'] = 1;
} else {
$_SESSION['visits']++;
}
echo 'You have visited this site: ' . $_SESSION['visits'] . ' times <br>';
echo 'Session name: ' . session_name() . '<br>';
echo 'Session id: ' . session_id() . '<br><br>';
echo 'SID: ' . SID . '<br><br>';
echo "<a href=\"Example12-SessionMgmt-sessionsWithoutCookies-page2.php\"> Next page </a>";
?>
</body>
</html>
SESSIONS WITHOUT COOKIES
<?php
// Start the session, this should be before the <html> tag.
ini_set("session.use_cookies", 0);
<html lang="en">
<body>
<?php
navigate bet ween them
echo '<h3>Page 1</h3>';
if (!isset($_SESSION['visits'])) {
$_SESSION['visits'] = 1;
} else {
$_SESSION['visits']++;
}
echo 'You have visited this site: ' . $_SESSION['visits'] . ' times <br>';
echo 'Session name: ' . session_name() . '<br>';
echo 'Session id: ' . session_id() . '<br><br>';
echo 'SID: ' . SID . '<br><br>';
echo "<a href=\"Example12-SessionMgmt-sessionsWithoutCookies-page2.php\"> Next page </a>";
?>
</body>
</html>
SESSIONS WITHOUT COOKIES
Set up 3 web site pages with the
same code and set up a link to
navigate bet ween them
1. URL parameters
2. Hidden form fields
3. Cookies
SESSION MANAGEMENT
Hidden form fields
1. URL parameters
2. Hidden form fields
3. Cookies
SESSION MANAGEMENT
Cookies
Session fixation using a cookie
1. URL parameters
2. Hidden form fields
3. Cookies
SESSION MANAGEMENT
Session hijacking
1. Session ids in URLs, Cookies or form fields
2. Session fixation
3. Session sidejacking or sniffing
4. Cross site scripting
5. Malware or other unwanted programs on
the client
SESSION MANAGEMENT
Session fixation
http://untrustedbank.com
SESSION MANAGEMENT
Session fixation
http://untrustedbank.com
The attacker
knows that the
victim banks here
SESSION MANAGEMENT
Session fixation
http://untrustedbank.com
This site:
1. accepts any session identifier
2. accepts session ids from query strings
3. has no security validation
4. does not generate a new id on login
SESSION MANAGEMENT
Session fixation
http://untrustedbank.com
http://www.untrustedbank.com.com/?
session_id=ATTACKER_FIXATED_ID
SESSION MANAGEMENT
Session fixation
http://www.untrustedbank.com.com/?
session_id=ATTACKER_FIXATED_ID
SID: SERVER_GENERATED_ID
SESSION MANAGEMENT
Session fixation
The attacker visits http://
untrustedbank.com and gets a session id
SID: SERVER_GENERATED_ID
http://www.untrustedbank.com.com/?
session_id=SERVER_GENERATED_ID
SESSION MANAGEMENT
Session fixation
http://www.untrustedbank.com.com/?
session_id=SERVER_GENERATED_ID
Session fixation
COUNTER MEASURES
SESSION MANAGEMENT
Session fixation - counter measures