Skip to content
/ secureSession Public

Change the session id per magento request to avoid Session Fixation and Session Hijacking. And avoid setting the session id via POST and GET request

6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ikonoshirt/secureSession

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
code
code
 
 
Ikonoshirt_SecureSession.xml
Ikonoshirt_SecureSession.xml
 
 
README.md
README.md
 
 
modman
modman
 
 

Repository files navigation

#SecureSession

The Problems and Solutions

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

One picked: Top 10 2010-A3-Broken Authentication and Session Management

https://www.owasp.org/index.php/Top_10_2010-A3

sessions in the URL & session hijacing

If you have a session in the url it is a sign for a low level attempt to hijack a session. So, if we find a session in the url, we destroy the session.

If the hacker is better, he uses cookies - as the user does, so we change the session id for every request, what means, the time frame for hijacking the session is very much shorter.

session fixation attacks & session id change after login

One way is to steal the sessionid for a authenticated user, the other way is to generate a session and then let the user use this generated session id to authenticate.

If we set a new cookie and generate a new session id after login, this can no longer happen

session id only transported over https (TODO)

We check in the backend wether the secure and unsecure URL are https urls, if not we show a warning dialog.

About

Change the session id per magento request to avoid Session Fixation and Session Hijacking. And avoid setting the session id via POST and GET request

Resources

Readme
Activity
Custom properties

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages