Session Fixation is a security vulnerability where a user sets the Session Identifier (SID) of a user to a known value, allowing them to access your session. This would allow the malicious user to access the user’s private information.
For Example:
Jason has determined that his neighbor Joe’s bank site http://mybank.com is susceptible to a session fixation attack. Jason then sends Joe an email with a link to his bank setting the SessionID to a value known to him http://mybank.com?SID=12345. Joe trusting his neighbor clicks on the link and proceeds to sign-in to his account online. Jason now can use the link he sent Joe to access Joe’s account.
Prevention:
This attack can be avoided by changing the users SID when their permission level changes e.g: login. What this would mean is that even if Joe click on the link sent by Jason once he logins to his account the site would generate a new SID for him that Jason would not know and he would not be able to get access to Joe’s account.
Psuedo code [PHP]:
public function authenticate() { // get user name $user_name = $_POST['user_name']; // get password $password = $_POST['password']; //validate the user if( validateUser( $user_name, $password ) ) { // regenerate the session id session_regenerate_id( true ); return true; } else { return false; } }
no comment untill now