Collaborate Disseminate
I’m testing an application where the admin and normal user account sessions are persisting simultaneously (different session ID’s). What could be the possible attack vector here.
Thanks
Continue reading Admin and normal user session persisting at the same time and same browser
If someone has access to my computer , can they easily get my session id by going to the browsers developer tools and taking a photo of the session id with a phone, if the session id is passed in a cookie. eg. in a java web a… Continue reading Is it easy to hijack browser session if you have access to someone else computer
I have a PHP application, where two session IDs are being used.
I will use foo and bar as example for those session IDs.
The foo session ID is being generated at the login page.
The bar session ID is being generated after a successful … Continue reading Is my session schema vulnerable to session fixation?
Recently I was musing on the problem and realized that I cannot think of a plausible scenario for a session fixation attack against a PHP application running with default settings.
Given session.use_only_cookies’s default va… Continue reading Plausible scenario for a PHP session fixation attack with default settings?
I am working on a Rails application where I reset the session upon logging out and each successful login, as well as when the user IP address changes.
Would resetting the session (changing the session ID cookie) after each … Continue reading How often should I reset my users’ session cookies?
I am testing a web app and it works like this:
user opens the page and is assigned a sessionId.
user logs in, sessionId stays the same but user is also given an authToken.
user logs out, authToken is deleted, sessionId chan… Continue reading Session Fixation: A token and an id
How do I maintain the same session state with different session ID as we get a login request? Do I need to do anything else from the server end other than just assigning the session id in Response.cookies to an empty string? … Continue reading Session Management to avoid session fixation [migrated]
My situation is:
+I have created a special purpose gmail account
+I used a complicated password to protect the account. On purpose, I did not use any 2FA options are a “reset” email address or phone number
+I unintentional… Continue reading restoring logged out gmail session in running instance of chromium browser?
As I was reading the session fixation article on OWASP, I was thinking that the only way for my server to refuse a cookie set by a rogue script would be for my server to know that the browser sent a request without the HTTP-O… Continue reading Is there a way to know that a cookie is "HTTP Only" on the first user request?
I am testing ASP.NET application, where session id (ASP.NET_SessionId) is not renewed after login. Actually it is renewed when I use browser, on the login page server sends:
Set-Cookie: ASP.NET_SessionId=; expires=Sun, 25-Ju… Continue reading Session Fixation in ASP.NET