Session Vulnerabilities in Web Applications

What is session?

Session is about authenticating the communication between the user and the server. To understand this concept better see the following scenario shown in Fig.1.

What is session,Session Vulnerabilities in Web Applications

Fig 1

Here it’s shown how the sever grants a session id/token to the user when he is logging in. Every time the user requests the server to show a new page, the user has to send the session id/token along with it. The server validates the requested session id/token and responds to the user. So through this it can be understood that every login page has a session. But the important question is, whether it is secure? Sessions can be implemented using one of these ways – Session Cookies, Header parameters, HTTP body parameters, Authentication tokens, etc.

ATTACK & IMPACT

Possible vulnerabilities found in session

  • As told before, once the user has logged into a web application the server provides a session. This same session is used by user to request for another webpage. But once the user has logged out if the session is still active, hacker can acquire the session token and use the same to log into the webpage without user credentials. If this web page contains any important or sensitive data the hacker will get hold of the same because of the session being left active even after the authorised person has logged out. This is called session reply attack.
  • Another vulnerability that can be found in the sessions is when the session does not get expired. For example if the user has logged in and has forgotten to logout, the session that he had activated will remain active till he logs out of the site. This can cause phishing attacks, data breach, leakage of personal information, etc.
  • If the portal allows same user to login from different browsers defeating the uniqueness of the user, the same will be possible by the attacker to manipulate the situation. For example see Fig.2, if a user has logged in from one device and has also logged in from another device, this will cause duplication in the server side database. This may seem common in most applications as developers feels this feature provides flexibility for their customers. But this will create a lot of complexity on the server side while storing duplicate data.

SOLUTION



To mitigate the above mentioned vulnerabilities, following steps have to be followed:

  • The session token has to be unique for each user.
  • The session token has to have a complex value that cannot be guessable.
  • The session has to be changed each time the user sends a request.
  • Each time a new session is created during the user’s request, the previous session has to be deleted from the database.
  • Sessions should have time-limit.
  • Once user has logged out the session, it has to be deleted from the database.
CSRF attack