-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsession-fixiation.php
26 lines (25 loc) · 1.16 KB
/
session-fixiation.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
credit: https://gist.github.com/markjames/516977
does not work since apache does only consider session ids via cookie
<?php
// Demo for session fixation
//
// Attacker creates a session by visiting the page: http://famfamfam.com/sessionfixation.php
// Attacker gets their session ID out of the cookie (or in this case from the page)
// Attacker creates a URL such as http://famfamfam.com/sessionfixation.php?PHPSESSID=attackerssessionid and sends it to victim
// Victim clicks the URL (now both the attacker and victim are using the same session)
// Victim logs in
// Now the attacker is logged in to the victim's account too (same session!)
session_start();
if( isset($_GET['password']) && $_GET['password'] == 'blissfulignorance' ) {
// To fix this problem, run the following function before you log a user in:
// session_regenerate_id()
$_SESSION['logged_in'] = true;
$_SESSION['logged_in_as'] = 'Mark J.';
}
if( isset($_SESSION['logged_in']) && $_SESSION['logged_in'] ) {
echo "You are logged in as ", htmlentities($_SESSION['logged_in_as'],ENT_QUOTES,'UTF-8');
} else {
echo "You are not logged in";
}
echo "<br>", "Your session ID is " . session_id();
?>