Simple session fixation attack on localhost for testing purpose

Question

I read many q/a on SO about the risk of session fixation/hijacking and many people suggest to change php.ini directives like session.use_only_cookies to ON and others php.ini directives to make the server more secure...

• How do i fix Session Fixation in PHP
• PHP Session Fixation / Hijacking

I wanted to see with my eyes if I could replicate a simple attack scenario on my localhost server based on PHP5 + Apache.

On my localhost session.use_only_cookies is OFF so according to the q/a above my localhost is basically unprotected, which is what I need to do the test.

I 1st read this simple article on how a session fixation attack is perfomed:

• http://en.wikipedia.org/wiki/Session_fixation#A_simple_attack_scenario

In order to replicate the scenario described in the article, I created two very simple PHP scripts (code is below), but the attack does not work, this is what I did:

1. (Pretending to be Mallory) I say to Alice: “hello go visit http://localhost/login.php?PHPSESSID=mysessionid”

2. Then (pretending to be Alice) I went to http://localhost/login.php?PHPSESSID=mysessionid

3. As admin of my localhost server I saw the session being created on server disk (it's cerated as a file with the name sess_ mysessionid), so I thought: cool, it's working!!!

4. Then (pretending to be Alice) I logged in entering “joe” as credential

5. Alice logs in and she is redirected to insession_ok.php, and at this point (according to the wikipedia article above) Mallory should be able to see insession_ok.php too because he fixated the session to mysessionid, but this is not true, because when Alice logs in a new session is created on server sess_vdshg238cnfb4vt7ahpnp1p522, so I don't understand at this point how Mallory is supposed to fixate/hijack the session, as explained in the article???

---

login.php

<?php
session_start();

//if user credentials are ok, let's put him in session
if( @$_POST['usr'] === 'joe' )
   $_SESSION['in_session'] = TRUE;

//if user is already logged in, let's redirect him to the account page "insession_ok.php"
if( isset($_SESSION['in_session']) )
{
   $webpage = 'http://' . $_SERVER['HTTP_HOST'] . '/insession_ok.php';      
   header("Location: " . $webpage, TRUE, 302);
}    
?>
<form method="POST" action="login.php">
   <input name="usr" type="text">
   <input type="submit" value="Submit">   
</form>    
<script type="text/javascript">
   alert(document.cookie); //to view cookies
</script>

---

insession_ok.php

<?php
session_start();
if(@$_SESSION['in_session'] === TRUE)
   echo "in session ok";
else //user is not in session cause he did not login, let's redirect him to login page
{
   $webpage = 'http://' . $_SERVER['HTTP_HOST'] . '/login.php';      
   header("Location: " . $webpage, TRUE, 302);
}
?>

Any clue/idea is always appreciated!

Answer 1

This is the way that I have always used to test session fixation attacks. It requires a knowledge of the HTTP protocol, but if you're good enough to look at session fixation, the a little bit of HTTP shouldn't scare you :)

The version of the session fixation that I am looking at here is the idea of a public computer, wherein you go to a library, navigate to a site like www.myawesomesite.com, and without logging in, you write down the session id that was assigned to you.

You then leave and wait for someone to log into www.myawesomesite.com. As soon as they log in, manually change the session on your computer to the cookie that was used on the public computer. The server then thinks that you are the authenticated user.

In order to test this on localhost, we can use two different browsers to view the effect, as browsers usually do not share cookies.

Here are the steps to do it:

• Open Chrome and navigate to localhost. This will represent the public computer. Inspect the session ID and write it down. You can do this either by using a program like Fiddler to view the request, or by using a plugin like Web Developer to view cookies. The cookie value should look something like PHPSESSID=46l11p0vt81ouo2hkt0ck8ij76

• Open Firefox and navigate to localhost. This will represent the attacker's computer. Using the Web Developer plugin, change the PHPSESSID cookie to the value that you wrote down from Chrome.

• In Chrome, log in as Alice. This will represent the victim logging in.

• Back in Firefox, click "Refresh", or navigate to an authenticated-only page. If you are susceptible to a session fixation, then you should be logged in as Alice on Firefox, having bypassing the login.

The fix for this is simple (as I am sure that you have seen). Simply call session_regenerate_id() as soon as a user authenticates in your code. This invalidates any session id that was used prior to a login and means that Oscar must now try to steal your Session ID after you login (but before you logout), which is much more difficult to do.

Answer 2

Apart from having session.use_only_cookies disabled, you also need to make sure that there is currently no valid session ID cookie as PHP would prefer $_COOKIE over $_GET. In fact, the cause of Alice having a different session ID after login is probably because Alice already has a valid cookie with a session ID that is then used instead of the session ID provided via URL. You can also disable your cookies and enable session.use_trans_sid to avoid cookies at all.

Then your exploit should work as expected.