Understanding session fixation attacks


#1

is there a way that, our application can understand wheteher the session
id
sent from the browser is forged or created by rails? I understand that
if
the attacker guesses session id, theres nothing we can do about it; but
can
we understand if he/she is trying to guess by creating random session
ids.


#2

Can’t we just pass another unique key as a pair to validate the
session? It’d be much harder to randomly guess two matching keys.
That would be my simple solution.


Jim J.
“A trustworthy individual.”
www.DontTrustThisGuy.com
(480) 235-5201


#3

Jim J. wrote:

Can’t we just pass another unique key as a pair to validate the
session? It’d be much harder to randomly guess two matching keys.
That would be my simple solution.

In principle there is no difference between one key and two keys, using
two keys is the same as doubling the key length. But this is not
necessary, the chance that someone can guess the 64 bits of the Rails
session ID is virtually zero.


#4

How about keep the session id in the session itself. Then compare with
what
ever the browser send back. This way, we can verify it. However, I don’t
know it actually works. Never try.

Tom