lcolombo Posted July 11, 2024 Posted July 11, 2024 Hi, A client performed a penetration test and tells us that the session ID (cookie cokiesession1) is the same before and after logging in. Is it possible to force the session is to change when the user logs in? Regards
lcolombo Posted July 11, 2024 Author Posted July 11, 2024 Hi, The system assigns a session ID in the cookie to the unauthenticated user: After entering the system, the system does not renew the anonymous ID session, allowing a fixation session from an anonymous user to a logged in user. Is it possible to renew the user's session once logged into the system? Regards
Sherzod Posted July 12, 2024 Posted July 12, 2024 11 hours ago, lcolombo said: The system assigns a session ID in the cookie to the unauthenticated user: Hello, Do you set cookies yourself?
irigsoft Posted August 16, 2024 Posted August 16, 2024 On 7/23/2024 at 3:16 PM, lcolombo said: Any update ? Hello, I will offer you another way to protect if you do not find a solution 1. Cookies security https://web.dev/samesite-cookies-explained/ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite //protection from cross-cookies, work only on https procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject); UniGUIApplication.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',UniSession.UniApplication.Cookies.GetCookie ('UNI_GUI_SESSION_ID'),0,True,True,'/'); 2. Session Hijacking https://www.imperva.com/learn/application-security/session-hijacking/ https://owasp.org/www-community/attacks/Session_hijacking_attack when session is created (procedure TUniMainModule.UniGUIMainModuleCreate) do on server side some stuff, like generate unique ID, based from (like example) - Base64 (Session_ID, RemoteIP, RemoteReferer, UserAgent, Random data, user ID, userName) and check it on every session request on TUniMainModule.UniGUIMainModuleHandleRequest, if is different then terminate session. Please, share if some of this is solution for you after next penetration testing , will be useful for community And some topics here:
Recommended Posts