Session Fixation
concept
Session Fixation (Session fixation) is a trick victims into using attacker specified session identifier (SessionID) means of attack. This is the easiest way to get the attacker a valid session identifier. Session Fixation can also be seen as a type of session hijacking, because the main purpose of a session fixation attack the same target is to obtain a legitimate user's session, but the session may also be fixed to coerce the victim to use a valid session attacker set in order to get the user's sensitive information.
principle
- When accessing the site, the site will set a cookie in the session
- When the user wait, cookie in the session unchanged
- As long as the content of the session before acquiring the landing, you can know session after landing
Vulnerability presence detection
Visit the Web site (not logged in): Get the cookie information, access sessionid
visit the website: view the cookie information, access sessionid
View first login, login is the same sessionid
Vulnerabilities defensive
Re-create a user session id after a successful login
anonymous session before the logon failure forced
session id and browser Binding: session id and visited the browser changes, immediately reset the
session id and IP binding visited: session id there are changes in the access IP, immediately reset