Reputation: 615
Is session safe enough to authenticate users?
I'm wondering if the session is safe enough to authenticate users. Basically, when a new session is started, a server generates an unique session id. And the id is used to differentiate different users.
However, isn't it possible for hackers to steal other's session id? How can I prevent others from stealing my session id? It seems to me that hackers can also guess session id by accident or brute force attack.
Could you please answer to the question so that I can understand the concept of session to be a better software developer?
Upvotes: 3
Views: 408
Answers (3)
Reputation: 9049
Session data is prone to attacks. Cross-Site Request Forgery or Session riding is one method of the buzzwords that people are wary of.
Several articles on CSRF already mentioned here.
But in general hijacking session is a security aspect of any (session-aware) web application. Man-in-the-middle (MITM) attack is something that would expose sensitive data to unauthorized user. A good write-up on MITM is here on OWASP. A few examples of MITM on this blog.
While most articles provide a background on a few vulnerabilities that could arise by not implementing measures against session hijacking, the good news is that there are tools that allow us to test the application for these vulnerabilities. Open Web Application Security Project (OWASP) has already been mentioned. OWASP provides guide for building secure websites(quite general themes), checklist for Session Management testing and also some resources/tools and examples to check specific aspect of session.
These articles mentioned give ways to test for such vulnerabilities. Like you've already mentioned, a bit of reading would help you.
Upvotes: 0
Reputation: 4806
You are correct. There is a kind of attack called "session hijacking". There is also a troublesome attack that interferes in an existing session that is known as "cross-site request forgery". Various countermeasures are necessary. It's not very practical to summarize them here. But knowing the names of the attacks, you can easily go and learn about the countermeasures. For example you'll want to consult the Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet at OWASP.org.
Upvotes: 0
Reputation: 67029
In the wild cookies are most commonly obtained using XSS. Another common method hijacking a session is sniffing the session id with a tool like Firesheep. In this case leaking the session id over HTTP would be a violation of owasp a9 - Insufficient Transport Layer Protection. If an attacker can force a victim into using a specific session id then its called Session Fixation, and can be used to compromise an account. CSRF and clickjacking are other ways of influence a session.
I recommend reading the Mozilla WebAppSec Secure Coding Guidelines - Session Management.
Upvotes: 3
Related Questions
- Are $_SESSION variables secure to verify logged in user?
- security risk in sessions when Login
- How secure are sessions?
- Working with Security and Sessions, is this secure enough?
- Is using one session secure enough?
- Secure login page and user session
- Is my login session secure?
- Most secure way to validate a user
- ServerSide Sessions safe?
- Session Security