Posted by Gordon Burditt on 03/10/07 21:11

I had this idea about preventing session fixation, and I'm wondering
what anyone else thinks about it. The idea is, essentially, don't
allow session ids that YOUR PHP didn't generate (and aren't yet
expired) to log in. That way if someone sticks a made-up session
ID on a URL, it won't matter, unless it happens to correspond to
an active session (guessing a user password is probably easier).

Is this already standard practice, new, or is there something better?

I like to use a session save handler to put the data into a database.
So in my case, using a session save handler isn't a lot of extra
work. My approach can deal with sessions saved just about anywhere,
but you need explicit handlers you can modify to use it.

This approach assumes that you already have a login setup and every
protected page will check for a logged-in and unexpired session,
and if not, redirect the browser to the login page. There's some
session data like $_SESSION['logged_in'] = 1 to indicate a valid
login. You also have a timeout so the session expires some time
(say, an hour) after the last click.

When the session handler "open" routine is called, session_id()
returns the session ID the browser supplied if there was one,
otherwise it returns an empty string. The documentation says this
but not specifically about what happens when it's called from the
session handler open routine.

So, if session_id() returns a non-empty string, and
that session doesn't exist in current sessions, you have
(1) A session-fixation attempt,
or
(2) A user returning after their session has expired (or they logged
out explicitly) and been deleted.
Either way, there is no existing session data, so they can't be logged in.
I propose setting a global variable like $possible_session_fixation_attempt
to either 0 or 1 depending on the results of this check.

If the user tries to go anywhere but the login page, he's not logged
in, so he'll be redirected to the login page. At the login page,
if $possible_session_fixation_attempt is set, call
session_regenerate_id(true). The argument causes the deletion of
the old session. Then proceed with the normal logic for the login
page. The logged-in session will have the new session id.

Now, this idea doesn't prevent (or attempt to prevent) hijacking
of unexpired sessons due to snooping or extremely lucky guessing
or the user publishing the session ID. It does prevent tricking a
user into using a pre-determined session ID, which can then be
trivially guessed.

[Back to original message]