Session Fixation

About

A session fixation attack 1) proceeds in three steps.

  • First, the attacker transplants a session identifier from his or her user agent to the victim's user agent.
  • Second, the victim uses that session identifier to interact with the server, possibly imbuing the session identifier with the user's credentials or confidential information.
  • Third, the attacker uses the session identifier to interact with server directly, possibly obtaining the user's authority or confidential information.
1)
wiki/Session_fixation




Discover More
What is a Session Identifier?

A session identifier is a nonce that represents uniquely a session. Instead of storing session information (such as username, login, start time, ...) directly, the server creates a nonce and sends it...
What is a Session? (authentication, tracking)

A session is used in authentication in order to store the identification data. After a user has been authenticated, the identification (the user name generally) is stored in the session and other requests...



Share this page:
Follow us:
Task Runner