session logins

So basically i just thought i had found a security flaw in a website being developer but not sure basically when logged in you set a session for the logged in user as the username now if someone was to set the same session on in a similar way on a different website that session would be set and they would be logged in on both sites correct ? does that make sense if not please ask

so basically what is the best way of stopping this security wise or how else would you do it?

Snapey

10 years ago

Best Answer

Level 122

The session token is unique to the user's session with the web server. Each request the browser re-presents the session token and the server compares it to the version of the token it holds.

The client has no part in creating the session token so its not possible to do what you suggest.

You cannot transfer the token to another place and expect it to work, however what can be done is session hijacking. Someone on the same LAN can see the token being passed and use it for their own transactions, pretending to be the logged in user. This only works for the duration of the session and is one of the prime reasons for using https so that the token cannot be sniffed by anyone else.

If you have an appetite for more, OWASP is a good site https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Please or to participate in this conversation.