Stack Overflow
Stack Overflow

Questions tagged [session-fixation]

Session Fixation is a security vulnerability which occurs after authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier. It gives an attacker the opportunity to steal authenticated sessions.

60 questions
1
vote
0 answers

Session fixation under Rails

Because Rails stores the hash of every cookie to prevent tampering, is session fixation possible under the framework? How would an attacker change another user's session_id to match his own (which in turn alters the cookie) without destroying the…
cjames
  • 77
  • 1
  • 7
1
vote
1 answer

How to prevent this session fixation attack?

I am trying to understand this session fixation attack that was described in theory against mtgox (a well known bitcoin exchange): I discovered session fixation leading to account takeover. Long story short, here's…
user1796995
  • 313
  • 4
  • 17
1
vote
2 answers

Security SessionFixationProtectionStrategy interfering with session scoped beans

I'm using Spring 3.1.1.Release, Security 3.1.0.Release. I've added login/logout to my web app, however a session scoped bean is not functioning the way it was. The bean is used to connect to a CMS called CMSConnector. To authenticate users, I…
Jason
  • 311
  • 4
  • 16
0
votes
2 answers

HttpSession invalidate is redirecting to login page

Hi I'm using servlet filter to change session ID on every request in order to avoid session fixation. My problem is when the method doFilter ends the application is redirected to login page. I just want to invalidate and create new session, without…
luis alberto juarez
  • 131
  • 1
  • 9
0
votes
1 answer

Session fixation issue for Multi-page Web application

Our Web application has multiple pages and doesn't have any logout functionality.We have tried onunload method but it's not working in Chrome browser. We tried onbeforeunload method, but it's getting called for page redirection as well. Is there a…
Amal
  • 1
0
votes
1 answer

Vert.x Web and session fixation

Using Vert.x Web handlers is it possible to fix session fixation problems (ie change the session id after user is authenticated), or do I have to implement my own session handling? I need a session during login handling, and I don't see how to…
FeralWhippet
  • 13
  • 4
0
votes
0 answers

Session Fixation vulnerability in ASP.NET

Hi I am getting Session Fixation vulnerability for the below line in my ASP.NET Application. this.Session["update"] = Server.UrlEncode(System.DateTime.Now.ToString()); Getting this issue more than 100 places since I am using Session["SomeConstant"]…
user8112761
0
votes
0 answers

Prevent session hijacking, fixation, injection, etc

I'm creating a login system and I have been reading a lot about the security measures needed to prevent session hijacking, fixation, and injection attacks, etc. I'm definitely not a security expert - I pieced together a lot of this with help from…
John
  • 473
  • 5
  • 20
0
votes
1 answer

Fix Session Fixation flaw in ASP.Net

A hybrid webforms/mvc asp.net application using .Net Framework 4.7 has been tagged with the "Session Fixation" vulnerability in a Veracode dynamic scan. What this means is that Veracode gets the login page, alters the SessionId cookie…
Tom Regan
  • 3,580
  • 4
  • 42
  • 71
0
votes
1 answer

What is more important CSRF protection or Session fixation protection

I'm trying to implement Tomcats CSRF protection filter for my web app where the users are stored in a MySQL DB, and due to my controller being written to forward all requests I've edited the filter mapping to
Graham
  • 322
  • 4
  • 17
0
votes
0 answers

possibility of arbitrary file write in the server via php session token

I read that a user can overwrite arbitrary files on the filesystem by specifying a specially crafted value for the PHPSESSID token on login. And it states that it can overwrite other session files or deleting other system related files. Only logged…
Jayapal Chandran
  • 10,600
  • 14
  • 66
  • 91
0
votes
0 answers

How does session_regenerate_id works?

I've read about securing sessions awhile ago but I don't know if I am using it right. All I know is that it replaces the current ID with a new one. So for example: $user = 'popo'; $_SESSION['user']= $user ; session_regenerate_id(true); is…
fdfdfd
  • 501
  • 1
  • 7
  • 21
0
votes
0 answers

Injecting NullAuthenticatedSessionStrategy in spring security 4.0.1

I am migrating an existing application using spring-security 3.1.3 to 4.0.1. In the current code I see NullAuthenticatedSessionStrategy used as below ..
xplore
  • 1
  • 2
0
votes
0 answers

Session Fixation Am i secure?

I am trying to implement security for my project that prevents session fixation. As i have no access to the component (a filter from a certain library, lets call it MagicFilter) that handles the whole session-creation and validation, i was trying to…
Mercious
  • 378
  • 3
  • 25
1 2
3
4