Preventing session fixation by ensuring the only source of creating a session should be a secure random generator

Question

I am trying to prevent session fixation and have read the following from the owasp website:

Session Fixation

Session IDs are to be generated by your application only. Never create a session only because you receive the session ID from the client, the only source of creating a session should be a secure random generator.

I handle sessions by using:

ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. 
ini_set('session.entropy_file', '/dev/urandom'); // better session id's
ini_set('session.entropy_length', '512');
session_start();

and checking for the existence of a user id:

if(isset($_SESSION['user_id'])) {
    //act like user is logged in
} else {
    //refer user to the login page
}

Does this mean the only source of creating my session is via a secure random generator?

Answer 1

By default PHP is prone to session fixation:

A simple attack scenario

Straightforward scenario:

1. Mallory has determined that http://unsafe.example.com/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe.example.com/ is thus not secure.
2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
3. Alice is interested and visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
4. Mallory visits http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.

http://en.wikipedia.org/wiki/Session_fixation

session.use_strict_mode boolean

session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled).

http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode

Enabling session.use_strict_mode prevents PHP from accepting ids of non-existing sessions and creating them. This does not prevent other types of session fixation though:

Attack using server generated SID

A misconception is that servers which only accept server generated session identifiers are safe from fixation. This is false.

Scenario:

1. Mallory visits http://vulnerable.example.com/ and checks which SID is returned. For example, the server may respond: Set-Cookie: SID=0D6441FEA4496C2.
2. Mallory is now able to send Alice an e-mail: "Check out this new cool feature on our bank, http://vulnerable.example.com/?SID=0D6441FEA4496C2."
3. Alice logs on, with fixated session identifier SID=0D6441FEA4496C2.
4. Mallory visits http://vulnerable.example.com/?SID=0D6441FEA4496C2 and now has unlimited access to Alice's account.

This can be prevented by session.use_only_cookies, which is on by default.

You may still be vulnerable to yet more session fixation attacks through XSS, which you will have to counteract with measures other than PHP ini settings.

Answer 2

Session IDs are to be generated by your application only.

That quote from OWASP PHP Security Cheat Sheet is wrong. Restricting the source of the session id has no effect on Session Fixation. An attacker can go to your site and just grab a valid session id.

The passage was fixed and gives now an effective method for preventing Session Fixation:

Invalidate the session id after user login (or even after each request) with session_regenerate_id().