Page 1 of 1

session_name("MyCn") against impersonation?

Posted: Mon Apr 27, 2009 5:09 pm
by Jaxolotl
1 - is it a good practice to call session_name("MyCustomName"); before session_start() to avoid session impersonation by query string?

By adding this to my proyect (to the other security staff) I found that obviously is no possible to "hijack" anotherone session by adding PHPSESSID=whatever to the q-string

2 - What I doesn't understand is that adding MyCustomName=whatever aint work, why is it?

Sorry, forget about item 2, I disable 3 days ago session.use_trans_sid on my php configuration


Re: session_name("MyCn") against impersonation?

Posted: Tue Apr 28, 2009 10:29 am
by user___
I do not find those two tips protective against session impersonation. Read that article, they suggest some protection mechanisms http://php-mag.net/itr/online_artikel/p ... d,114.html
I recommend you to have a look at this http://www.php.net/manual/en/function.s ... ate-id.php

Re: session_name("MyCn") against impersonation?

Posted: Tue Apr 28, 2009 7:33 pm
by kaisellgren
Jaxolotl wrote:is it a good practice to call session_name("MyCustomName"); before session_start() to avoid session impersonation by query string?
It is easy for an attacker to find out this "custom name" (cookies and query strings) and then attack. The only situation where it may give some good is the case where the potential cracker will never have a session setuped for him. In this case, it is still theoretically (or even practically in worst case) to perform Session Fixation attacks. No, it is not a good practise.

Re: session_name("MyCn") against impersonation?

Posted: Thu Apr 30, 2009 6:02 pm
by Jaxolotl
thank you both for your help.
user___ wrote:I do not find those two tips protective against session impersonation. Read that article, they suggest some protection mechanisms http://php-mag.net/itr/online_artikel/p ... d,114.html
I recommend you to have a look at this http://www.php.net/manual/en/function.s ... ate-id.php
I'm working on correcting session fixation issues this days. The artichle http://shiflett.org/articles/the-truth-about-sessions was very usefull, and yes I use session_regenerate_id(). I also analyze vBulletin login system too.

One thing I don't know he reason why is that when session.use_trans_sid is disables it was still possible to fixate the session on that server using the default PHPSESSID but when I change it to a custom session name on the same configuration it wasn't possible anymore.

Any explanation?

Re: session_name("MyCn") against impersonation?

Posted: Thu Apr 30, 2009 6:17 pm
by kaisellgren
If you disable session.use_trans_id, Session Fixation attacks may still occur. This directive has nothing to do with being able (not) to change session identifiers by passing PHPSESSID=x into the URL. Even if you rename your "PHPSESSID" into something else, it won't help against Session Fixation attacks.