Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does Session ID rotation enhance security?

Tags:

security

session

(I think) I understand why session IDs should be rotated when the user logs in - this is one important step to prevent session fixation.

However, is there any advantage to randomly/periodically rotating session IDs?

This seems to only provide a false sense of security in my opinion. Assuming session IDs are not vulnerable to brute-force guessing and you only transmit the session ID in a cookie (not as part of URLs), then an attacker will have to access your cookie (most likely by snooping on your traffic) to get your session ID. Thus if the attacker gets one session ID, they'll probably be able to sniff the rotated session ID too - and thus randomly rotating has not enhanced security.

like image 356
David Underhill Avatar asked May 17 '10 02:05

David Underhill

People also ask

Are session IDs secure?

Session IDs, in their conventional form, do not offer secure Web browsing. Skilled hackers can acquire session IDs (a process called session prediction), and then masquerade as authorized users in a form of attack known as session hijacking.

What is the purpose of a session ID?

In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges.

What is a good method of generating session IDs?

The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120 bits). The array of random numbers is then mapped to valid URL characters and returned as a string.

1 Answers

If you're using session identifiers stored in cookies, session fixation is not an issue. I skimmed through the paper you pasted and I see things like using DNS and XSS to own the user, which obviously are much greater (not to mention, separate) issues than session fixation. If you have the session identifier (with an acceptable level of entropy) stored in a cookie, there is no sane reason to rotate it. The only reason to rotate it would be because it's guessable or vulnerable in some other way, in which case the user gets owned anyways.

like image 186
L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳ Avatar answered Sep 21 '22 15:09

L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳
Sign in to Comment

Related questions

SSL Failures - Receiving SSL/TLS exception when using HttpWebRequest with client certificate
Firefox information disclosure caused by screenshots of recently used websites
How does towelroot (futex exploit) works
How do I restrict access to my REST API to only authorized clients?
How can I secure Solr 5.3.1 only admin pages
Implement identity server authentication in real world scenario
Who Uses Software Watermarking?
How can an application store secrets in Google Cloud Datastore securely?
SecurityException - Unknown calling package name -Android 6.0.1
Are MacOS Virtual Webcams inherently incompatible with 10.14's Hardened Runtime Library Validation?
REST and CSRF (Cross-Site Request Forgery)
How to mitigate spectre with GCC and Clang (or LLVM in general)
Removing private information from old Git commits
Correct way to safely store token/secret/etc from OAuth?
Options for securing UDP Traffic
Import StartCom CA certificates in Windows JRE
Replicating the 'Taint mode' from 'Fortify static checking tool' in Haskell
Allowing only my android apps to execute endpoint api in java
SSL authentication by comparing certificate fingerprint?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!