How is a session ID assigned and used?
- When you log into a website, like your bank or email, the server authenticates your username and password.
- Once authenticated, the server generates a session ID and sends it to your browser. The session ID is then stored in a cookie, which is a small piece of data that the browser saves.
- Each time you make a new request (like loading a new page), the session ID is sent along with it. This allows the server to recognize you without needing you to re-enter your credentials.
What is a session ID?
- A session ID is a unique identifier assigned to a user when they start a session with a website or application. Think of it as a temporary “pass” that lets the server know who the user is and keeps track of their activity without requiring them to log in again for every action.
- It’s often a random, complex string (like ABC123XYZ789) that uniquely identifies the user’s session on the server.
TLDR: They provide a way to identify and authenticate users across multiple interactions without requiring continuous re-authentication.
Why are session IDs important?
- Security: Session IDs help maintain the user’s login state securely. Once you log out, the session ID is invalidated, and you need to log in again to get a new one.
- Convenience: Session IDs allow you to move through different pages and actions within a site (like checking multiple sections in your bank account) without needing to log in again each time.
How are session IDs generated?
- Session IDs are typically randomized and unique to each session. Good security practices mean they should be difficult to guess and long enough to prevent brute-force attacks.
- Most session IDs are generated by web servers (like Apache or Nginx) or backend frameworks (such as Django, Express, or ASP.NET) and are designed to be unique for each session.
Where are session IDs used?
- Internet Sessions: Session IDs are most commonly used on the internet for websites and online applications where you log in, such as email, bank accounts, social media, and online shopping.
- Local Applications: Session IDs can also be used in local network applications, such as internal company portals or databases, where users authenticate to access resources within a corporate network.
- APIs and Mobile Apps: Session IDs are also used by mobile apps and APIs to manage and verify authenticated sessions.
- Gaming and real time systems: Many online games and real-time applications (like video conferencing or chat services) use session IDs to keep track of users during sessions, allowing them to remain connected and authenticated throughout gameplay or the call.
-VPNs and remote access services: VPNs and remote access services also use session IDs to manage authenticated sessions, ensuring users maintain access to the VPN or remote system without needing constant re-authentication. The session ID in these cases helps manage the encrypted connection and permissions while the user is logged in.
What is session hijacking?
Session hijacking is when an attacker steals a session ID and impersonates a user or takes over their active session.
What are some ways in which session IDs are vulnerable to theft?
- Network sniffing (if using http and not https)
- XSS (cross site scripting)
- Malware
What is a cookie?
A cookie is a small text file that a website saves on your computer or device to store information about your visit. Cookies help websites remember you, your preferences, and your activities. They’re essential for things like keeping you logged in, remembering items in your shopping cart, and personalizing your browsing experience.
What is rate limiting?
Rate limiting is a control mechanism used by websites, APIs and servers to limit the number of requests a user or system can make within a specific time frame, which helps prevent abuse, overload and DDoS attacks.
What is the difference between a cookie and a session ID?
A cookie is the storage mechanism that holds data. Cookies can store various types of information, including session IDs, login data, preferences, and tracking information.
A session ID is a unique identifier that’s often stored inside a cookie to manage a user’s session. The session ID itself isn’t a file—it’s simply a piece of data that helps the server identify your current session.
What are some features of session IDs that make session hijacking successful?
- Absence of a lockout for invalid session IDs (general design flaw)
Since a session ID is not permanently tied to a given account you cannot penalize for invalid attempts. They are only allocated after you successfully log in, so an attacker could send random session IDs without getting locked out since they’re not tied to an account permanently. - Indefinite session timeout (config error)
If a session timeout is not configured, this leaves you vulnerable to a replay attack since attacks like XSS do not happen in real time and are often executed after the fact. - Weak session-ID generation algorithm or small session IDs.
- Insecure handling of session IDs (sent in clear text or in url instead of cookie)
List the sequence of steps in the session hijacking process
- Sniff. Place yourself between the victim and the target
- Monitor the flow of packets. Can try to predict the sequence number if network based, on web app that might not make a difference
- Session Desynchronization: break the connection to the victim’s machine. can do a secondary session or replay the session ID if the application allows it
- Session ID prediction: present it, take over the session
- Command Injection: start injecting packets to the target server.
What is passive vs. active session hijacking?
Passive: not modifying traffic, just recording it
Active: modifying traffic.
What is network vs. application based session hijacking?
Network level: taking over TCP sockets and sequence numbers
Application level: gaining control over user session by obtaining session ID
