6.2 Session Attacks

What is a Session?

A session is a period of interaction between a user and a web application, typically beginning when a user logs in and ending when they log out or their session expires due to inactivity.

Session Management

Session management in web apps refers to the process of securely handling and maintaining user sessions.

It is crucial for security, user experience and maintaining the state of a web app.

Session management components are:

• Session Identifier: a unique token (often a session ID) is assigned to each user's session, this token is used to associate subsequent requests from the user with their session data.

• Session Data: info related to the user's session, such as: authentication status, user preferences, and temporary data (stored on the server)

• Session Cookies: are small pieces of data stored on the user's browser that contain the session ID. They're used to maintain state between the client and server.

Importance of Session Management

Session management is a really critical topic for the following reason:

• User Authentication: after a user logs in, the session management system keeps track of their authenticated state, allowing them to access protected resources without repeatedly entering credentials.

• User State: web apps ofteen need to maintain state information about a user's activities , e.g. in an e-commerce site, the session management system keeps track of the items in a user's shopping card.

• Security: if the session management isn't implemented correctly, it can lead to vulnerabilities such as session fixation, session hijacking and unauthorized access.

Session Management in PHP

In PHP language, session management is handled using built-in function:

• Session Start: to start session using session_start() function, it initializes the session and generates a unique session ID for the user.

• Session Data: you can store and retrieve session data using the $_SESSION superglobal array, e.g. $_SESSION['username'] = 'name'; stores the username in the session.

• Session Timeout: it is configured into PHP configuration file (php.ini) setting parameter: session.gc_maxlifetime.

Session Management Testing

Session Management Testing is a crucial component of web app testing, it involves assessing the security of how a web app manages user sessions, identifying vulnerabilities and weakness in session handling that could lead security breaches, data leakage and unauthorized access. Here below the common session management testing:

• Session Fixation Testing: attempting to set a know session ID (controlled by tester) and then login with another account. Verify if the app accepts the session ID and allows the attacker access to the target account.

• Session Hijacking Testing: trying to capture and reuse another user's session ID. We can intercept and analyze network traffic for session data using tools such as: Wireshark or Burp Suite.

• Session ID Brute-Force: attempt to brute force session IDs to assess their complexity and the app's resistance to such attacks.

Session ID and Cookies

Session Identifiers (IDs) are unique tokens or strings generated by web app to identify and track user sessions. They're essential for maintaining stateful communication between the client/browser and the server.

Session IDs are typically used to associate requests from a user and their session data stored on the server, it is sent to the user's browser as a cookie.

Cookies: are a small pieces of data (usually text encoded in Base64) that a web server send to the user's browser, which stores them locally.

Cookies serve various purposes, such as session management, user tracking, and personalization. In the context of session management, session cookies are used to store the session ID, allowing the server to recognize and maintain the user's session.