In this an attacker explicitly sets the session identifier of a session for a user. Typically in PHP it's done by giving them a url like http://www.mysite.com/index.php?session_name=session_id. Once the attacker gives the url to the client, the attack is the same as a session hijacking attack.
Default session_name is PHPSESSID
session_id is a unique string and it is in the range a-z A-Z 0-9 , (comma) and - (minus)!
The most crucial piece of information for an attacker is the session identifier, because this is required for any impersonation attack. There are three common methods used to obtain a valid session identifier:
- Prediction: Guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point.
- Capture: Capturing a valid session identifier is the most common type of session attack, and there are numerous approaches for capturing session_id, because session identifiers are typically propagated in cookies or as GET variables.
- Fixation: Fixation is the simplest method of obtaining a valid session identifier by using session_id() after session_start()
What to do
By default session_name is PHPSESSID, so this session name either from php.ini file OR with use of php function session_name. For example session_name('new_session_name')
Set session.use_trans_sid = 0 in your php.ini file. This will tell PHP not to include the identifier in the URL, and not to read the URL for identifiers.
Set session.use_only_cookies = 1 in your php.ini file. This will tell PHP to never use URLs with session identifiers.
Regenerate the session ID anytime the session's status changes. That means any of the following:
- Storing sensitive info in the session
- Changing anything about the session