Session Fixation

Session fixation is a web security threat in which a user’s session ID is set to one known to an attacker.

For example, an attacker can send a user an email with a link containing that particular session ID. In this case the attacker just has to wait until the user logs in.

Defense

Session fixation can be made more difficult by:

  • Using a long random string as the session key. This reduces the risk that an attacker could simply guess a valid session ID through trial and error or brute force attacks.
  • Regenerating a session ID after a successful login so that the attacker does not know the session ID after the user has logged in.

Changing Session ID

Adding the command ChangeSession with value New or Renew to $webinfo("SESSIONCOMMANDS"), causes the WRD to close the old session and start a new session.

Tip: It is useful to centralize code for session management in one component.

; Send command to WRD to create a new session
putitem/id $webinfo("SESSIONCOMMANDS"), "ChangeSession", "NEW"

; Optionally, if you want to keep the session context in the new session,
; ask WRD to call back to your "copySessionContext" operation.
putitem/id $webinfo("SESSIONCOMMANDS"), "WrdActivate", %\
  "%%$instancename.copySessionContext"

In the same component, define the WRD callback operation copySessionContext. This operation makes use of the USYSSTAT component API to get and set session state information. 

operation copySessionContext
public web
variables
  string vWebServerContext, vSessionId, vOldSessionId, vUSessionContext
endvariables

; Get Web server context
vWebServerContext = $webinfo("WEBSERVERCONTEXT")

; Get old invalidated session ID
  getitem/id vOldSessionId, vWebServerContext, "INVALIDATEDSESSION"

; Get new session ID
getitem/id vSessionId, vWebServerContext, "SESSION"

; Copy your session context from old session to the new session;
; Copy your session context from old session to the new session;
activate "USYSSTAT".GetState(vOldSessionId, $instancename, vUSessionContext)
activate "USYSSTAT".setState(vSessionId, $instancename, vUSessionContext)

; Delete the context associated with the old session id;
activate "USYSSTAT".deleteState(vOldSessionId, $instancename)

end

Related Topics