Session Fixation
Need
Prevention of session hijacking
Context
• Usage of TypeScript for statically typed JavaScript development
• Usage of Express for building web applications and handling HTTP requests
Description
1. Non compliant code
import express from 'express';
const app = express();
app.use(express.json());
let sessionCookie: string;
app.post('/login', (req, res) => {...The vulnerability in this code is session fixation. Session fixation occurs when the session cookie remains the same after a successful login, allowing an attacker to hijack the user's session. In this code, the session cookie is stored in the variable `sessionCookie`. After a successful login, the session cookie is set to a fixed value `'user-session-cookie'`. This means that every user who logs in will have the same session cookie value. The issue is that the session cookie is not invalidated or changed after a successful login. This allows an attacker to obtain the session cookie value and use it to impersonate the user's session. The attacker can set their own cookie with the known session cookie value and gain unauthorized access to the user's account. To fix this vulnerability, the code should invalidate the anonymous cookie and create a new one after a successful login. This ensures that the session cookie value is unique for each user and cannot be easily guessed or exploited by an attacker.
2. Steps
• Generate a unique session ID for each user upon successful login.
• Store the session ID in a secure manner, such as in a server-side session store or database.
• Invalidate the previous session cookie, if any, after successful login.
• Create a new session cookie with the new session ID and set it in the response headers.
• Update the sessionCookie variable to store the new session ID.
• Modify the '/dashboard' route to check the validity of the session ID instead of just checking if the sessionCookie variable is set.
• If the session ID is valid, render the dashboard. Otherwise, return a 401 Unauthorized response.
• Consider implementing additional security measures, such as session expiration and session regeneration after a certain period of time.
3. Secure code example
import express from 'express';
import { v4 as uuidv4 } from 'uuid';
const app = express();
app.use(express.json());
...The fixed code addresses the vulnerability by implementing session management best practices. Here's an explanation of the changes made: 1. The code imports the necessary modules, including the `uuid` module for generating unique session IDs. 2. The `express` application is created and the `express.json()` middleware is used to parse incoming JSON data. 3. A variable `sessionCookie` is declared to store the current session ID. 4. The `/login` route is defined to handle the login request. It extracts the `username` and `password` from the request body. 5. After performing the authentication logic (not shown in the code), a new session ID is generated using `uuidv4()`. 6. The previous session cookie, if any, is invalidated by calling `res.clearCookie('session')`. This ensures that any existing session cookie is removed from the client's browser. 7. A new session cookie is created using `res.cookie('session', sessionId, { httpOnly: true, secure: true })`. The `httpOnly` flag ensures that the cookie is only accessible via HTTP requests and cannot be accessed by client-side JavaScript. The `secure` flag ensures that the cookie is only sent over HTTPS connections. 8. The `sessionCookie` variable is updated with the new session ID. 9. A JSON response with a status of 200 and a message indicating successful login is sent back to the client. 10. The `/dashboard` route is defined to handle requests to the dashboard. It checks if the session ID stored in the cookie matches the `sessionCookie` variable. If they match, it sends a JSON response with a status of 200 and a welcome message. Otherwise, it sends a JSON response with a status of 401 indicating unauthorized access. 11. The server is set to listen on port 3000, and a message is logged to indicate that the server is running. By invalidating the previous session cookie and generating a new one after a successful login, the fixed code prevents session fixation attacks.
References
• 280. Session Fixation