Session Fixation

Card Puncher Data Processing

About

A session fixation attack 1) proceeds in three steps.

  • First, the attacker transplants a session identifier from his or her user agent to the victim's user agent.
  • Second, the victim uses that session identifier to interact with the server, possibly imbuing the session identifier with the user's credentials or confidential information.
  • Third, the attacker uses the session identifier to interact with server directly, possibly obtaining the user's authority or confidential information.
1)
wiki/Session_fixation




Recommended Pages
Card Puncher Data Processing
Authentication - Session

A session is used in authentication in order to store the identification data. After a user has been authenticated, the identification (the user name generally) is stored in the session and other requests...
Card Puncher Data Processing
Session Identifier

A session identifier is a nonce that represents uniquely a session. Instead of storing session information (such as username, login, start time, ...) directly (where it might be exposed to or replayed...



Share this page:
Follow us:
Task Runner