This exploration delves into the realms of cybersecurity, dissecting the threats posed by session hijacking and session fixation in computer science. Session hijacking, also known as cookie hijacking, involves exploiting a valid session key to gain unauthorized access to a computer system. On the other hand, session fixation is an attack that allows an assailant to hijack a user session by exploiting the way a web application manages session IDs. This article elucidates the differences between these attacks, emphasizing their distinct attack vectors and objectives. To fortify against such intrusions, the document provides insights into preventive measures, debunking myths about encryption effectiveness and underscoring the pivotal role of HTTPS in securing web applications.
Session hijacking and session fixation
What is session hijacking?
In computer science, session hijacking, sometimes also known as cookie hijacking is the
exploitation of a valid computer session—sometimes also called a session key—to gain
unauthorized access to information or services in a computer system. In particular, it is used to
refer to the theft of a magic cookie used to authenticate a user to a remote server. It has
particular relevance to web developers, as the HTTP cookies used to maintain a session on
many web sites can be easily stolen by an attacker using an intermediary computer or with
access to the saved cookies on the victim's computer.
What is session fixation?
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack
explores a limitation in the way the web application manages the session ID, more specifically
the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID,
making it possible to use an existent session ID. The attack consists of obtaining a valid session
ID (e.g. by connecting to the application), inducing a user to authenticate himself with that
session ID, and then hijacking the user-validated session by the knowledge of the used session
ID. The attacker has to provide a legitimate Web application session ID and try to make the
victim's browser use it.
The session fixation attack is a class of Session Hijacking, which steals the established session
between the client and the Web Server after the user logs in. Instead, the Session Fixation
attack fixes an established session on the victim's browser, so the attack starts before the user
logs in.
Difference between session hijacking and session fixation
Session fixation and session hijacking are both attacks that have a common goal i.e. to gain
access to a legitimate session of another user. But the attack vectors are different.
In a session fixation attack, the attacker already has access to a valid session and tries to force
the victim to use this particular session. While in a session hijacking attack, the attacker tries to
get the ID of a victim's session to use his/ her session.
Prevention from Session hijacking and session fixation:
Encrypting the session value will have zero effect. The session cookie is already an arbitrary
value, encrypting it will just generate another arbitrary value that can be sniffed.
The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have
performance concerns), you might be able to get away with only SSL protecting the sensitive
areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure
cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular
session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS,
and check for the presence of that secure cookie. A real user will have it, a session hijacker will
not.
Dom Diagram
Document
<html> (Root Element)
<head> <body>
<title>(Page Title)
<script>(JavaScript)
<link> (CSS)
<div> (Parent Wrapper)
<div> (Food Details Dialog)
<div> (FoodRating Dialog) <table> (Food MenuTable)
<img>(Food Image)
<div>(Name Wrapper)
<div>(Name)
<div>(Rate Button)
<ul>(Rating List)
<li>(Rating)
<li>(Rating)
<li>(Rating)
<form>(Rating form)
<input>(Reviewer Name)
<input>(Rating)
<input>(Review)
<input>(Submit)
<th>(table header)
<tr>(table Row)
<td>(Food Name)
<td>(Food Image)
<td>(Avg Rating)