Development

#1978 (Early use of session_start() facilitates session fixation attacks (?))

You must first sign up to be able to contribute.

Ticket #1978 (closed enhancement: fixed)

Opened 1 year ago

Last modified 2 months ago

Early use of session_start() facilitates session fixation attacks (?)

Reported by: Rihad.Haciyev Assigned to: fabien
Priority: minor Milestone: 1.1.0
Component: controller Version: 1.0.7
Keywords: Cc:
Qualification: Ready for core team

Description

From http://www.acros.si/papers/session_fixation.pdf :

5.2. Preventing the attacker from obtaining a valid session ID

If possible, a web application on a strict system should only issue session IDs of newly generated sessions to users after they have successfully authenticated (as opposed to issuing them along with the login form). This means that an attacker who isn’t a legitimate user of the system will not be able to get a valid session ID and will therefore be unable to perform a session fixation attack.

Symfony up to and including 1.0.5 calls session_start() when displaying the login form, resulting in the cookie being sent before the user authenticates: storage/sfSessionStorage.class.php 

  public function initialize($context, $parameters = null)
  {
    // ...

    if ($this->getParameter('auto_start', true))
    {
      // start our session
      session_start();
    }
  }

Perhaps session handling should be moved to filter/sfBasicSecurityFilter.class.php : 

  public function execute($filterChain)
  {
    // ...
    if ($user->isAuthenticated())
    {
      // here

Change History

07/16/07 13:29:36 changed by Rihad.Haciyev

We can classify session management mechanisms on web servers in two classes:

a) “Permissive”: those that accept arbitrary session IDs, and create a new session

with proposed session ID if one doesn’t exist yet (e.g., Macromedia JRun server, PHP).

b) “Strict”: those that only accept known session IDs, which have been locally

generated at some point in the past (e.g., Microsoft Internet Information Server).

In addition, making PHP behave like a "strict" server is possible in user code with the use of session_regenerate_id().

07/16/07 21:34:33 changed by l2k

session_regenerate_id() was put into sfBasicSecurityUser::setAuthenticated() in r865, but removed again in r899. It would be interesting to know why. Theres some discussion about in in the forum but no explanation what didn't work.

I think changing the session ID after every login/logout or privilege change would make session fixation attacks pretty much useless, wouldn't it?

10/01/07 06:38:26 changed by dwhittle

  • version changed from 1.0.5 to 1.0.7.
  • qualification set to Design decision.

I have committed a proposed solution to this in changeset #5325 .

10/01/07 09:18:52 changed by fabien

  • qualification changed from Design decision to Ready for core team.

06/23/08 06:47:44 changed by dwhittle

  • status changed from new to closed.
  • resolution set to wontfix.

06/23/08 08:00:19 changed by l2k

It still would be nice to see an explanation on why this didn't make it into trunk...

06/23/08 08:09:18 changed by dwhittle

  • status changed from closed to reopened.
  • resolution deleted.
  • milestone set to 1.1.0 FINAL.

This is up to Fabien, I have committed my fix, and you can always implement this in your own code. See r5325.

06/27/08 20:01:29 changed by fabien

  • status changed from reopened to closed.
  • resolution set to fixed.

in r9942

06/29/08 23:41:03 changed by FabianLange

  • milestone changed from 1.1.0 FINAL to 1.1.0.