51 lines
1.5 KiB
Plaintext
51 lines
1.5 KiB
Plaintext
If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length ...) an attacker may be able to hijack another user's session.
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* the session ID is not unique.
|
|
* the session ID is set from a user-controlled input.
|
|
* the session ID is generated with not secure pseudo random generator.
|
|
* the session ID length is too short.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Don't manually generate session IDs, use instead language based native functionality.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
session_id(bin2hex(random_bytes(4))); // Sensitive: 4 bytes is too short
|
|
session_id($_POST["session_id"]); // Sensitive: session ID can be specified by the user
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
session_regenerate_id(); ; // Compliant
|
|
session_id(bin2hex(random_bytes(16))); // Compliant
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://www.owasp.org/index.php/Session_fixation[OWASP Sesssion Fixation]
|
|
* https://cwe.mitre.org/data/definitions/330.html[MITRE, CWE-330] - Use of Insufficiently Random Values
|
|
* https://www.php.net/random-bytes[PHP: random_bytes()]
|
|
* https://www.php.net/session-regenerate-id[PHP: session_regenerate_id()]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|