Jump to content

Recommended Posts

Posted

Hi,

A client performed a penetration test and tells us that the session ID (cookie cokiesession1) is the same before and after logging in. Is it possible to force the session is to change when the user logs in?

 

Regards

 

Posted

Hi,

The system assigns a session ID in the cookie to the unauthenticated user:

image.png.685540b81117d89c576cbb56d55ef658.png

After entering the system, the system does not renew the anonymous ID session, allowing a fixation
session from an anonymous user to a logged in user.

image.png.137836ee3e49b50cfc86d024790c5717.png

 

Is it possible to renew the user's session once logged into the system?

 

Regards

Posted
11 hours ago, lcolombo said:

The system assigns a session ID in the cookie to the unauthenticated user:

Hello,

Do you set cookies yourself?

  • 2 weeks later...
  • 4 weeks later...
Posted
On 7/23/2024 at 3:16 PM, lcolombo said:

Any update ?

Hello, I will offer you another way to protect if you do not find a solution

 

1. Cookies security
https://web.dev/samesite-cookies-explained/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

//protection from cross-cookies, work only on https

procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject);

UniGUIApplication.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',UniSession.UniApplication.Cookies.GetCookie ('UNI_GUI_SESSION_ID'),0,True,True,'/');

2. Session Hijacking
https://www.imperva.com/learn/application-security/session-hijacking/
https://owasp.org/www-community/attacks/Session_hijacking_attack

when session is created (procedure TUniMainModule.UniGUIMainModuleCreate) do on server side some stuff, like generate unique ID, based from (like example)  - Base64 (Session_ID, RemoteIP, RemoteReferer,  UserAgent, Random data, user ID, userName) and check it on every session request on TUniMainModule.UniGUIMainModuleHandleRequest, if is different then terminate session.

 

Please, share if some of this is solution for you after next penetration testing , will be useful for community

 

And some topics here:

 

×
×
  • Create New...