Destroying sessions on user logout.

  • (3 Pages)
  • +
  • 1
  • 2
  • 3

32 Replies - 2633 Views - Last Post: 31 March 2015 - 07:10 PM

#31 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 121
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 05:46 PM

View PostArtificialSoldier, on 31 March 2015 - 05:03 PM, said:

From what I understand, all of the possible risks come from other vulnerabilities present in the "noob application", and that if those vulnerabilities do not exist then I don't see a problem with an existing session. In other words, the problem is not the open session itself, it is an open session combined with other vulnerabilities that shouldn't be there in the first place.


@ArtificialSoldier, I think you summed it up quite well. Keep in mind, being an experienced developer does not necessarily make for a an expert in web security. Many non noobs may know some basics, but this field is very in depth and ever changing. There is no shortage of well developed sites that have security issues.

I can pretty much guarantee you I can find a security issue with almost any site. I am by no means saying I know it all. I dont even think the best of the best would make that claim.
Was This Post Helpful? 0
  • +
  • -

#32 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4238
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 06:58 PM

I see what you mean with the session fixation issue.

Its pretty easily defeated, though, by simply refreshing the session ID on successful user login. If you take that a step further and refresh the session ID on each request, that should neutralize pretty much any attack that relies on the attacker knowing the session ID. They'd have to manage to figure out the ID after the user logs in, and then use that ID before the use has a chance to make a new request.

I guess it would be theoretically possible for an attacker to intercept the user's traffic and thus access a valid session ID, or by use of some malware find it on the user's end, but if they have that sort of access, it would be just as easy to steal the actual password as the user logs in, and log in themselves.

Quote

I assume you are knowledgeable enough to know that most of the hacks regarding sessions are to get a hold of a valid session to start doing the bad stuff. If there are so many hacks just to get it, there must be a reason why. By leaving a session open after the valid user has come and gone, you eliminate much of the hard work for the hacker.

Getting a hold of a valid session isn't usually problem though. Most sites will issue you a session ID right as you enter the site, or at least as you attempt to log in. Stealing an old session ID would hardly ever be necessary. - Even the owasp.org site issues you a session ID as you enter the login form :)

In the context of session fixation and even session hijacking, as I understand it, issuing a session ID before the user has been authenticated would be just as dangerous as leaving the session intact after logout.
Was This Post Helpful? 0
  • +
  • -

#33 benanamen  Icon User is offline

  • D.I.C Head

Reputation: 14
  • View blog
  • Posts: 121
  • Joined: 28-March 15

Re: Destroying sessions on user logout.

Posted 31 March 2015 - 07:10 PM

Quote

I see what you mean with the session fixation issue.

Its pretty easily defeated, though


Yes, security issues can be mitigated. Thats what keeps me in business. The problem is developers are not doing the basics to thwart the problems.

Take click jacking for example. The exploit was discovered 7 years ago yet 99.999% of the sites I check are vulnerable to it. It is one of the easiest exploits to do, but in turn, it is also one of the easiest to stop dead in it's tracks. And yet the vulnerability is rampant. I am even talking major banks. The city I am in now, every single credit union is vulnerable to click jacking. :hang:
Was This Post Helpful? 0
  • +
  • -

  • (3 Pages)
  • +
  • 1
  • 2
  • 3