WebApp Sec mailing list archives

RE: Session Fixation

From: Noam Eppel <noam () noameppel com>
Date: Mon, 31 Mar 2003 15:41:21 -0600

From: Information Security <InformationSecurity () federatedinv com>
To: "'alex () netWindows org'" <alex () netWindows org>,webappsec () securityfocus com
Subject: RE: Session Fixation
Date: Mon, 31 Mar 2003 15:08:07 -0500

Thanks for the comments.  I disagree with a few, let me know what you think:

On Monday 31 March 2003 07:19 am, Information Security wrote:

I recently visited a site (I think it might have been my bank) where they
actually had an option for "additional security" where you could link the
session to your IP address.  I was impressed, and thought it was a great
option, but I'm not sure how many non-security folks would.


The pitfalls of relying on a client IP for session validation and 
authentication have been discussed in depth before. But client IP's can be 
used as part of an equation that is then hashed to make the initial session 
ID. If an attacker can guess how sessions are generated, session hijacking 
becomes easier. So it is best to use a few different sources in your equation.

An equation with multiple sources can make it harder for an attacker to guess 
a valid session. Basically you want something you know is guaranteed unique 
(so no two sessions are the same), sufficiently random (hard to guess) and 
contains one secret.

For example,

Current Time - guaranteed unique.
Random Function - pseudo random number.
Client IP - ex. 65.78.98.20
Server Secret - "the king is great!"

SESSSIONID = SaltedHASH(current time + random number + client IP + server 
secret)
 
The hash can use algorithms such as MD5 (128b) SHA-1 (160b) or SHA-256 (256b)

An attack can know the algorithm used, may know the client IP and might figure 
out the time the session was generated, but would not know the random number 
or server secret.

Of course, most popular server side delveopment languages can automatically 
generate session ID so this is not a concern for most developers.

Noam Eppel
secure () noameppel com
Web Security Consultant

Current thread:

Session Fixation St. Clair, James (Mar 25)
- Re: Session Fixation Gary Gwin (Mar 27)
- <Possible follow-ups>
- RE: Session Fixation Mark Mcdonald (Mar 27)
- RE: Session Fixation Information Security (Mar 31)
  - Re: Session Fixation Alex Russell (Mar 31)
    - Re: Session Fixation HarryM (Mar 31)
    - Re: Session Fixation Alex Russell (Mar 31)
    - Re: Session Fixation HarryM (Mar 31)
- RE: Session Fixation Information Security (Mar 31)
  - Re: Session Fixation Alex Russell (Mar 31)
- RE: Session Fixation Noam Eppel (Mar 31)