Difference between revisions of "Session Fixation Protection"

From OWASP
Jump to: navigation, search
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new170.html regional asia japan education] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/galeach/new134.html asian children adoption
 
] [http://s1.shard.jp/olharder/stan-olsen-auto.html auto car discount part part
 
] [http://s1.shard.jp/frhorton/ru9zwzdr5.html african american church directory florida in orlando
 
] [http://s1.shard.jp/olharder/j-b-auto-salvage.html automobile dealer in tri state area
 
] [http://s1.shard.jp/galeach/new113.html double cropping in east asia
 
] [http://s1.shard.jp/galeach/new57.html american asian festival film jose san
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html panda antivirus scan
 
] [http://s1.shard.jp/olharder/auto-remer.html phila auto show discount
 
] [http://s1.shard.jp/olharder/bank-auto-repos.html auto loot maplesea
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/galeach/new163.html caucasian chalk circle brecht
 
] [http://s1.shard.jp/galeach/new173.html review asian massage dallas
 
] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/losaul/coastlines-of-australia.html book suppliers australia
 
] [http://s1.shard.jp/frhorton/ank33l6la.html african american article news
 
] [http://s1.shard.jp/bireba/download-symantec.html pc cillin 2000 antivirus
 
] [http://s1.shard.jp/galeach/new148.html asian girl picture gallery
 
] [http://s1.shard.jp/bireba/pc-cillin-antivirus.html before symantec antivirus could be completely installed
 
] [http://s1.shard.jp/bireba/imac-intel-antivirus.html nortan antivirus 2005 activation key
 
] [http://s1.shard.jp/bireba/panda-antivirus.html antivirus stop
 
] [http://s1.shard.jp/frhorton/c1k98s3rt.html trinity broadcasting network south africa
 
] [http://s1.shard.jp/frhorton/yzxhrnmp9.html african american gold jewelry
 
] [http://s1.shard.jp/olharder/invicta-speedway.html wholesale aftermarket auto body part
 
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/bireba/avast-antivirus.html mccaffee antivirus software
 
] [http://s1.shard.jp/galeach/new111.html outline map of south west asia
 
] [http://s1.shard.jp/bireba/noton-antivirus.html e trust antivirus free download
 
] [http://s1.shard.jp/bireba/how-to-activate.html how to disable avg antivirus
 
] [http://s1.shard.jp/galeach/new56.html kasia bujakiewicz ckm
 
] [http://s1.shard.jp/bireba/lu1812-norton.html symantec antivirus 10.0 0 corporate edition
 
] [http://s1.shard.jp/losaul/australian-bull.html teaching australian geography
 
] [http://s1.shard.jp/losaul/job-agencies-sydney.html australia animal picture
 
] [http://s1.shard.jp/galeach/new82.html beautiful asian chick
 
] [http://s1.shard.jp/galeach/new84.html asian gold
 
] [http://s1.shard.jp/galeach/new158.html public opinion on euthanasia
 
] [http://s1.shard.jp/bireba/escan-antivirus.html antivirus panda software
 
] [http://s1.shard.jp/galeach/new27.html interactive east asia map
 
] [http://s1.shard.jp/bireba/antivirus-software.html antivirus download for free
 
] [http://s1.shard.jp/frhorton/41nbv47ei.html printable outline map of africa
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/galeach/new115.html 2006 2007 asia conference in international youth
 
] [http://s1.shard.jp/frhorton/jp87fttqi.html africa corporate event south
 
] [http://s1.shard.jp/bireba/antiviruscom.html avg antivirus 7.0.306 serial number
 
] [http://s1.shard.jp/frhorton/vjlche4gq.html africa imports and exports] [http://s1.shard.jp/bireba/etrust-antivirus.html etrust antivirus gateway] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/olharder/autofill-slush.html auto consulting dealership firm
 
 
http://www.textlacerli.com
 
 
==Overview==
 
==Overview==
  
Line 110: Line 68:
 
      
 
      
 
  %>
 
  %>
 +
 +
'''NOTE: In an enterprise deployment, consider the use of a COM wrapper object that invokes a cryptographically secure random number generator in favor of the VBScript Rnd function.'''
  
 
Include the following lines in your login page:
 
Include the following lines in your login page:

Latest revision as of 08:23, 21 October 2013

Overview

Some platforms make it easy to protect against Session Fixation, while others make it a lot more difficult. In most cases, simply discarding any existing session is sufficient to force the framework to issue a new sessionid cookie, with a new value. Unfortunately, some platforms, notably Microsoft ASP, do not generate new values for sessionid cookies, but rather just associate the existing value with a new session. This guarantees that almost all ASP apps will be vulnerable to session fixation, unless they have taken specific measures to protect against it.

Anti-Fixation in ASP

Here is some sample code to illustrate an approach to preventing session fixation attacks in ASP. The idea is that, since ASP prohibits write access to the ASPSESSIONIDxxxxx cookie, and will not allow us to change it in any way, we have to use an additional cookie that we do have control over to detect any tampering. So, we set a cookie in the user's browser to a random value, and set a session variable to the same value. If the session variable and the cookie value ever don't match, then we have a potential fixation attack, and should invalidate the session, and force the user to log on again.

Example implementation

Here is a sample implementation:

AntiFixation.asp:

<%

   ' This routine is intended to provide a degree of protection
   ' against Session Fixation attacks in classic ASP
   
   ' Session fixation attacks are a problem in ASP, since ASP does not
   ' allow you any access to the ASPSESSIONIDxxx cookie. Even invalidating
   ' the session does not alter the value of this cookie, preventing
   ' implementation of best practice recommendations, such as
   ' issuing new session cookies when the session is authenticated, or 
   ' invalidated.
   
   ' The basic premise of this routine is that we create a cookie that 
   ' we CAN control, e.g. ASPFIXATION, and assign a random value to this
   ' cookie when the session is authenticated. On subsequent pages, we 
   ' check the value of this cookie against the same variable stored in
   ' the user's session. If they do not match, access is denied.
   ' When the user logs out, the session should be invalidated, and so 
   ' by default, the cookie no longer matches the value in the session.
   
   Private Function RandomString(l)
       Dim value, i, r
       Randomize
       For i = 0 To l
           r = Int(Rnd * 62)
           If r<10 Then
               r = r + 48
           ElseIf r<36 Then
               r = (r - 10) + 65
           Else
               r = (r - 10 - 26) + 97
           End If
           value = value & Chr(r)
       Next
       RandomString = value
   End Function
   
   ' This routine should be called after the user has been authenticated.
   ' It is expected that the session has been invalidated prior to this call.
   Public Sub AntiFixationInit() 
       Dim value
       value = RandomString(10)
       Response.Cookies("ASPFIXATION") = value
       Session("ASPFIXATION") = value
   End Sub
   
   Public Sub AntiFixationVerify(LoginPage)
       Dim cookie_value, session_value
       cookie_value = Request.Cookies("ASPFIXATION")
       session_value = Session("ASPFIXATION")
       If cookie_value <> session_value Then
           Response.redirect(LoginPage)
       End If
   End Sub
   
%>

NOTE: In an enterprise deployment, consider the use of a COM wrapper object that invokes a cryptographically secure random number generator in favor of the VBScript Rnd function.

Include the following lines in your login page:

<!--#include virtual="/AntiFixation.asp" -->

and, when your user is successfully authenticated:

AntiFixationInit()

All other private pages (i.e. only accessible by an authenticated user) should include the following lines (preferably as the first couple of lines in the file):

<!--#include virtual="/AntiFixation.asp" -->
<% AntiFixationVerify("login.asp") %>

In this case, any requests that do not contain a valid ASPFIXATION cookie will be redirected to the page indicated, in this case "login.asp". Note that we do not automatically invalidate the session, since that would allow a denial of service attack against the legitimate user. If one were concerned about brute force attacks against the fixation cookie, one could either make the random value longer, and/or use a counter in the session to detect repeated attacks, and invalidate the session if a threshold is exceeded.