Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does Session ID rotation enhance security?

(I think) I understand why session IDs should be rotated when the user logs in - this is one important step to prevent session fixation.

However, is there any advantage to randomly/periodically rotating session IDs?

This seems to only provide a false sense of security in my opinion. Assuming session IDs are not vulnerable to brute-force guessing and you only transmit the session ID in a cookie (not as part of URLs), then an attacker will have to access your cookie (most likely by snooping on your traffic) to get your session ID. Thus if the attacker gets one session ID, they'll probably be able to sniff the rotated session ID too - and thus randomly rotating has not enhanced security.

like image 356
David Underhill Avatar asked May 17 '10 02:05

David Underhill


People also ask

Are session IDs secure?

Session IDs, in their conventional form, do not offer secure Web browsing. Skilled hackers can acquire session IDs (a process called session prediction), and then masquerade as authorized users in a form of attack known as session hijacking.

What is the purpose of a session ID?

In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges.

What is a good method of generating session IDs?

The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120 bits). The array of random numbers is then mapped to valid URL characters and returned as a string.


1 Answers

If you're using session identifiers stored in cookies, session fixation is not an issue. I skimmed through the paper you pasted and I see things like using DNS and XSS to own the user, which obviously are much greater (not to mention, separate) issues than session fixation. If you have the session identifier (with an acceptable level of entropy) stored in a cookie, there is no sane reason to rotate it. The only reason to rotate it would be because it's guessable or vulnerable in some other way, in which case the user gets owned anyways.