In a session fixation attack, the attacker fixes the user’s session ID before the user even logs into the target server, thereby eliminating the need to obtain the user’s session ID afterwards. This is accomplished by the attacker first going to the website and obtaining a valid session ID. Then the attacker sends a link that contains that session ID to an unsuspecting victim. The victim clicks on the link, goes to the website and logs in. Now, the attacker sends another request to the website, say for the account information page. Since the attacker also sends the same session ID as the logged in victim, the website thinks they are the same user and sends the attacker the requested information. This results in the session being hijacked.
The process for this attack is as follows:
- Attacker connects to the server
- The server generates a session token and sends it to the attacker
- Crafts a URL containing the session token and emails it out
- Victim clicks on the link and logs in to the site with the same session token
- Server thinks it is the same user and retains session token
- Attacker sends another request to the server with the session token and hijacks the victim’s session