What is it and why do I care?
Session fixation, by most definitions, is a subclass of session hijacking. The most common basic flow is:
1. attacker gets a valid session ID from an application
2. attacker forces the victim to use that same session ID
3. attacker knows the session ID that the victim is using and can gain access to the victim’s account.
Step 2 of forcing the session ID on the victim is the only real work involved in the attack. It’s often performed by simply sending a victim a link to a website with the session ID attached to the URL.
Obviously, one user being able to take over another user’s account is a serious issue, so …
What should I do about it?
Fortunately, resolving session fixation is usually fairly simple. The basic advice is:
Invalidate the user session once a successful login has occurred.
The usual basic flow to handle session fixation prevention looks like:
1. User enters correct credentials
2. System successfully authenticates user
3. Any existing session information that needs to be retained is moved to temporary location
4. Session is invalidated (HttpSession#invalidate())
5. New session is created (new session ID)
6. Any temporary data is restored to new session
7. User goes to successful login landing page using new session ID
A useful snippet of code is available from the ESAPI project that shows how to change the session identifier.
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java (look at the changeSessionIdentifier method)
There are other activities that you can perform to provide additional assurance against this issue. A few I thought of are listed below.
1. Check if a user tries to login using a session ID that has been specifically invalidated (requires maintaining this list in some type of LRU cache)
2. Check if a user tries to use an existing session ID already in use from another IP address (requires maintaining this data in some type of map)
3. If you see these types of obviously malicious behavior, consider using something like AppSensor (shameless plug) to protect your app, and to be aware of the attack.
As you can see, session fixation is a serious issue, but has a pretty simple solution. Your best bet if possible is to include an appropriate solution in some “enterprise” framework (like ESAPI) so this solution applies evenly to all your applications.