Preventing session fixation in Echo3
One of our projects has just been audited for security problems.
One thing which was a security concern is the so called "Session fixation".
Here the links to the technical details of such attacks:
- http://en.wikipedia.org/wiki/Session_fixation
This PDF explains what is the issue:
http://www.acros.si/papers/session_fixation.pdf
In short a attack is done with these steps:
1. Badguy opens a session to the server and receives a session (No matter if cookie oder url or formvar based)
2. Server returns session No 1234
3. Badguy tells Goodguy to make a connection to the server AND includes the session identifier No 1234 to that connection
4. Goodguy now does login with it's credentials
5. Badguy is now also logged in with Goodguy's credentials and can do evli things
The only real solution to this problem is to assign Goodguy in step 4 (just after the login) a new Session (For example No 1235)
Since Echo3 is also based on the session, this could also be a problem for echo based applications.
But here it's not simple to replace the session on login, since the whole server state is hold in the session.
I know that Echo3 does increment a counter for client->server sync, and when there is a mismatch it throws some exceptions (and the session is restarted?)
Is this enough to prevent session fixation in a echo3 only environment ?
André