[thelist] Session Fixation

Lauri lauri_lists at tharapita.com
Fri Jun 12 09:15:37 CDT 2009

Hi Bill, 

There is another variation of Session Fixation that works on cookies by
relying on brief access to your computer (or exploiting public
computers/internet cafes). 

An attacker can will a site, note down the cookie ID from before the login
and wait for (or induce) a victim to log in with their credentials on that
computer. Then the attacker can use that session ID as the original user
does. The fact that a session ID was already on that browser remains
unnoticed by the victim. 

Minting a new session ID whenever the authentication level changes is a good
session ID management practice regardless of whether you're using cookies or

Lauri Väin 

More information about the thelist mailing list