Can you give me an example of a session fixation attack?

Question

I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user?

Answer 1

I don't usually like to post links to Wikipedia, but here's a link to a very good explanation on Wikipedia...

Here's the meat of it:

• Alice has an account at the bank http://unsafe/. Unfortunately, Alice is not very security savvy.

• Mallory is out to get Alice's money from the bank.

• Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.

  1. Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.
  2. Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
  3. Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
  4. Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.