Date Added: Feb 2012
Many web-based applications employ some kind of session management to create a user-friendly environment. Sessions are stored on server and associated with respective users by session IDentifiers (IDs). Naturally, session IDs present an attractive target for attackers, who, by obtaining them, effectively hijack users' identities. Knowing that, web servers are employing techniques for protecting session IDs from three classes of attacks: interception, prediction and brute-force attacks. This paper reveals a fourth class of attacks against session IDs: session fixation attacks. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, hereby eliminating the need to obtain the user's session ID afterwards.