LII:Web Application Security Guide/Session stealing - Revision history

Shawndouglas: Added further reading

2016-08-10T22:39:03Z

Added further reading

← Older revision		Revision as of 22:39, 10 August 2016
Line 4:		Line 4:

	===To prevent this type of attack===		===To prevent this type of attack===
	* Set the “HttpOnly” attribute for session cookies		* Set the “HttpOnly” attribute for session cookies.
	* Generate random session IDs with secure randomness and sufficient length		* Generate random session IDs with secure randomness and sufficient length.
	* Do not leak session IDs		* Do not leak session IDs.

	===Rationale===		===Rationale===
	Setting the “HttpOnly” attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.		Setting the “HttpOnly” attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.

			==Further reading==
			* [[wikipedia:Session hijacking\|Session hijacking]]

	==Notes==		==Notes==
	The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Session_stealing the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.		The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Session_stealing the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

Shawndouglas: /* Session fixation */ Title

2016-08-10T21:15:30Z

Session fixation: Title

← Older revision		Revision as of 21:15, 10 August 2016
Line 1:		Line 1:
	{{TOC right}}		{{TOC right}}
	==Session ~~fixation~~==		==Session stealing==
	An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.		An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.

Shawndouglas: Created as needed.

2016-08-10T21:13:14Z

Created as needed.

New page

{{TOC right}}
==Session fixation==
An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.

===To prevent this type of attack===
* Set the “HttpOnly” attribute for session cookies
* Generate random session IDs with secure randomness and sufficient length
* Do not leak session IDs

===Rationale===
Setting the “HttpOnly” attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.

==Notes==
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Session_stealing the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.