2. PHPRunner General questions
  3. [SOLVED]  Session Fixation
This topic is locked
[SOLVED]

 Session Fixation

 		11/1/2020 2:05:34 AM
PHPRunner General questions
M
 m.salahi author

hi every one,,
Vulnerability exist where the value of the session for the user's doesn't change after logging in/out it

supposed to be random every time the user log in.

scenario of the vulnerability: when you log in with admin user. you will get a value for your session.

but when you log out and then log back in. the session value remain the same.

it's strongly recommended to implement proper session management to protect user's

Confidentiality and Integrity
Recommendations

Kindly, see below links to know more about the vulnerability and implementing proper

session fixation management.

https://owasp.org/www-community/attacks/Session_fixation
how i can solve this Vulnerability in phprunner
fhumanes 11/3/2020

Hi:
I have been reading the documentation on the Internet on this matter and I think that all these security mechanisms can be specified in the "php.ini" file of your server's PHP, so that you can configure it as you feel more secure.
Also, in the "After logout" you can write this code:

session_destroy();



To remove the content of all session variables.
Greetings,
fernando
M
 		m.salahi author 11/4/2020

thanks fernando
I want to ask you if the user doesn't click log out the session can be also destroy ...
fhumanes 11/4/2020



thanks fernando
I want to ask you if the user doesn't click log out the session can be also destroy ...



Hi:
The answer is no. If you do not "logout" the session is not destroyed.
There are a lot of configuration options for the sessions in "php.ini", among them the validity time, which surely can help you to configure your server and therefore your application.
You can also implement, with a minimum of code in PHPRunner, the solution that satisfies you.
Look at this description https://solutionfactor.net/blog/2014/02/08/implementing-session-timeout-with-php/
If you decide exactly what you want to do and you have difficulty in including it in PHPRunner, tell me and I will give you a small example that implements it
Greetings,
fernando
M
 		m.salahi author 11/26/2020

hi

thanks fernando
the Vulnerability still,

after they retest my site
i want to solve that ..
thanks