Palisade Magazine
 
September 2005

Session IDs

Quiz Graphic

When is the best time to assign session ids?

  1. Have a single session id for a complete browser instance.
  2. Assign a session ID to a user on the login page.
  3. On logout change the session ID to a new value.
  4. Assign a session id after authentication, change it at logout.

Click to view the answer →

The best option is 4. Assign a session ID after authentication, change it at logout.

Web applications must establish sessions to keep track of the stream of requests from each user. Applications do this by assigning a unique value to each user and check for this value in each request to identify the user. This value is a session token. Most of the times the web application environment provides session management capability, but many developers prefer to create their own session tokens. In either case, if the session tokens are not properly implemented, an attacker can hijack an active session and assume the identity of a user.

Option 1: Have a single session id for a complete browser instance. If there is a single session ID assigned to a browser, then every user who logs through that browser will get the same session id. Suppose an attacker uses the application and logs out without closing the browser. A valid user then uses the same browser instance to log into the application. The attacker already knows the session ID and can hijack the user’s session from another system.

Option 2: Assign a session ID to a user on the login page. It means that the session ID provided at the login page is same as the session id after authentication. The issue with this method is similar to that in option 1. An attacker can steal the session ID from the home page and leave without logging in. When a user logs into the application, on authentication the same session ID is assigned.

Option 3: On logout change the session ID to a new value. This option is actually just a variation of the previous option. Here when a user logs out of the application, the session ID value changes. This new value is bound to the next user after authentication. So, in effect the session ID on the login page is what is assigned to the user on authentication. So an attacker can note the session ID after logging out and when another user logs in through the same browser, can hijack the session.

Option 4: Assign a session id after authentication, change it at logout. This is the most secure method of assigning session IDs. Since the value is different before login, after login and after logout, an attacker cannot steal the session ID.

by Terence Cornelius.