For example:
www.example.com/?PHPSESSID=AEXAMPLEOFHARDCODESESSIONID
So when user click on the link, user will find that he/she need to login.
When user logged in, the session will be active on "AEXAMPLEOFHARDCODESESSIONID".
This way, attacker can access the same url from another machine and have access to the logged in session.
Solution
Everytime the user login, reset the session id to a new id. This way, a new session id is set on every login attempt. Remote attacker will not be able to guess the id being used as its generated randomly by server.
Reference:
No comments:
Post a Comment