4. Session Management
Description Mechanism of Cookies
Introducing Session Management Attacks
Strategies Of Session Storage
Session Management Testing
Strategies for Secure Session Management
5. Mechanism of Cookies
HTTP session token
Problem : HTTP is stateless
o Solution : HTTP Cookies
The client usually stores cookies and sends the token as an
o HTTP cookie
o parameter in GET or POST queries.
6. Mechanism of Cookies
What is Sessions
A session is a semi-permanent interactive information interchange, also known as
a dialogue, a conversation or a meeting, between a computer and user .
An established communication session may involve more than one message in
each direction.
A session is typically, but not always, stateful, meaning that at least one of the
communicating parts needs to save information.
where the communication consists of independent requests with responses.
Such as HTTP.
7. Mechanism of Cookies
Session ID
A session identifier, session ID or session token is a piece of data that is
used in network communications (often over HTTP) to identify a session.
A session ID is often a long, randomly generated string to decrease the
brute-force search.
The reason to use session tokens is :
o client only has to handle the identifier (a small piece of data that hasn’t
security risk) - all session data is stored on the server and is not
transmit
11. Http Cookies
HTTP Cookies
The following is a list of the attributes that can be set for each cookie :
o secure - only send the cookie if the request is being sent over a
secure channel such as HTTPS.
o HttpOnly - it does not allow the cookie to be accessed via a client side
script such as JavaScript.
• Note that not all browsers support this functionality.
o domain - compare against the domain of the server in which the URL
is being requested
12. Http Cookies
HTTP Cookies
The following is a list of the attributes that can be set for each cookie :
o path - In addition to the domain, the URL path can be specified for
which the cookie is valid. If the domain and path match, then the
cookie will be sent in the request.
o expires - This attribute is used to set persistent cookies, since the
cookie does not expire until the set date is exceeded.
13. Http Cookies
HTTP Cookies : PHP function
session_set_cookie_params() The effect of this function only lasts for the duration of
the script.
Thus, you need to call it for every request and before session_start() is called.
This function updates the runtime ini values of the corresponding PHP ini configuration
session_set_cookie_params ($lifetime , $path , $domain, $secure = false , $httponly = false)
14. Http Cookies
HTTP Cookies : PHP function
setcookie() defines a cookie to be sent along with the rest of the HTTP headers.
Like other headers, cookies must be sent before any output from your script (this is a
protocol restriction).
Once the cookies have been set, they can be accessed on the next page load with the
$_COOKIE
Setcookie ( $name , $value , $expire = 0 , $path , $domain , $secure =false , $httponly = false )
15. Session Management
Session management
session management is the process of keeping track of a user's activity
across sessions of interaction with the system.
16. Session Management
Description Mechanism of Cookies
Introducing Session Management Attacks
Strategies Of Session Storage
Session Management Testing
Strategies for Secure Session Management
18. Sessions Attack
Session fixation
session fixation attacks allows one person to fixate (set) another person's
session identifier (SID).
Hacker abtains valid session witout hijacking or sniffing, he fix valid
session for victim.
Most rely on session identifiers being accepted from URLs (query string)
or POST data.
19. Sessions Attack
Session fixation
Session fixation vulnerabilities occur when:
A web application authenticates a user without first invalidating the
existing session ID, thereby continuing to use the session ID already
associated with the user.
An attacker is able to force a known session ID on a user so that, once the
user authenticates, the attacker has access to the authenticated session.
22. Sessions Attack
Session fixation : Countermeasures
Do not accept session identifiers from GET / POST variables
Accept only server-generated SIDs
Logout function
Destroy session if Referrer is suspicious
Time-out old SIDs
Verify that additional information is consistent throughout session
User Agent
23. Sessions Attack
Session fixation : Defense in Depth
Enable HTTPS (to protect against other problems)
Correct configuration (do not accept external SIDs, set time-out, etc.)
o Ini_set(“session_use_only_cookie”,1)
Perform session_regeneration, support log-out, etc.
24. Sessions Attack
Session hijacking
session hijacking is the exploitation of a valid sessionID to gain unauthorized
access to information or services in a computer system.
25. Sessions Attack
Session hijacking : Methods
Session fixation
Session sidejacking
o where the attacker uses packet sniffing
o Many web sites use SSL encryption for login pages to prevent
attackers from seeing the password, but do not use encryption for the
rest of the site once authenticated.
26. Sessions Attack
Session hijacking : Methods
obtaining the file or memory contents of the appropriate part of either
the user's computer or the server.
Cross-site scripting, where the attacker tricks the user's computer into
running code which is treated as trustworthy because it appears to
belong to the server, allowing the attacker to obtain a copy of the cookie
or perform other operations.
27. Sessions Attack
Session hijacking : Countermeasures
Provide a method for users to log out of the application.
o Logging out button should clear
o all session state and remove or invalidate any residual cookies.
Set short expiry times on persistent cookies, no more than a day.
Do not store session tokens in the URL or other trivially modified data
entry point.
28. Sessions Attack
Brute Force Session Identifier
Session tokens are generated in
o a predictable fashion
o key space that is too small to prevent guessing a token in reasonable
time.
o The application does not detect and prevent session brute forcing
attempts.
A session ID must not be valid over two currently active SSL connections
at the same time.
29. Sessions Attack
Brute Force SessionID: Countermeasures
Session identifiers should be at least 128 bits(32byte) long to prevent
brute-force session guessing attacks.
Limit the number of unique session tokens you see from the same IP
address (ie 20 in thelast five minutes).
Use Strong Session Cryptographic Algorithms
o Use Framework session management impelemention
30. Sessions Attack
Session poisoning
This should actually be called session injection, as it is just one more
variable injection type of attack. If you allow user input into session
variables, make sure you validate the data.
Typically a server application that is vulnerable to this type of exploit will
copy user input into session variables.
31. Sessions Attack
Session poisoning :Example
Exploiting ambiguous or dual use of same session variable
Exploiting scripts allowing writes to arbitrary session variables
$var = $_GET["something"];
$_SESSION["$var"] = $var2;
vulnerable.php?something=SESSION_VAR_TO_POISON
32. Sessions Attack
Session poisoning :Example
Session poisoning attacks enabled by php.ini: register_globals = on
It is possible for attacker to cause both conditions to be false.
php.ini is misconfigured (register_globals = on), which allows $var default
value to be controlled by GPC (GET, POST, or COOKIE) input.
if ($condition1) { $var = 'SOMETHING'; };
if ($condition2) { $var = 'OTHER'; };
$_SESSION["$var"] = $var2;
33. Session Storage
Session Storage
Sessions data can Store in :
o Files (on server)
o database.
Sessions data that Storage in Files
o Better performance ,But weak security
Sessions data that Storage in Database
o Better security,But weak performance
34. Session Management
Description Mechanism of Cookies
Introducing Session Management Attacks
Strategies Of Session Storage
Session Management Testing
Strategies for Secure Session Management
35. Session Management Testing
Session Management Testing
Test Desc
Testing for Session
Management Schema
1-cookie collection: 2-cookie reverse engineering 3- cookie
manipulation
The session tokens tested for their randomness, uniqueness,
resistance to statistical and cryptographic analysis
Testing for Cookies
attributes
Testing for secure or httponly setting
Are all Set-Cookie directives tagged as Secure?
What Expires= times are used on persistent cookies
Testing for Session
Fixation no new cookie has been issued upon a successful authentication
36. Session Management Testing
Session Management Testing
Test Desc
Testing for Exposed
Session Variables
How are Session IDs transferred? E.g., GET, POST, Form Field
Are Session IDs always sent over encrypted transport by default?
Testing for CSRF
URL being tested; for example
u = http://www.example.com/action
build an html page containing the http request referencing URL u
Regeneration of
Session Tokens
•Note the Session ID at the start and after every significant test
transaction.
If the session ID never changes,Application be at risk
37. Session Management
Description Mechanism of Cookies
Introducing Session Management Attacks
Strategies Of Session Storage
Session Management Testing
Strategies for Secure Session Management
38. Session Management
Session Management : Countermeasures
Avoid Weak Session Cryptographic Algorithms
Use Appropriate Key Space
Impelement Session Time-out
Regeneration of Session Tokens
o prior to any significant transaction
o after a certain number of requests
o after as a function of time, say every 20 minutes or so.
o Problem : when using third party software
39. Session Management
Session Management : Countermeasures
Using framework implementation session management.
Authorization and role data should be stored on the server side only.
Presentation flags (such as theme or user language) can belong in
cookies.
Tie the session to a particular browser by using a hash of the server-side
IP address.