Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Security:Session fixation: Difference between revisions

From MoodleDocs
(New page: This page forms part of the Moodle security guidelines. ==What is the danger?== ''Petr, please could you write this one. I have heard of this problem but I don't...)
 
m (Protected "Security:Session fixation": Developer Docs Migration ([Edit=Allow only administrators] (indefinite)))
 
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Template:Migrated|newDocId=/general/development/policies/security/session-fixation}}
{{stub}}
This page forms part of the [[Security|Moodle security guidelines]].
This page forms part of the [[Security|Moodle security guidelines]].


==What is the danger?==
==What is the danger?==


''Petr, please could you write this one. I have heard of this problem but I don't really understand it. Thanks.--[[User:Tim Hunt|Tim Hunt]] 15:10, 6 November 2009 (UTC)''
"Session Fixation is an attack that permits an attacker to hijack a valid user session. (...) . The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. (...) The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in.  " (OWASP - Session fixation)  


==How Moodle avoids this problem==
==How Moodle avoids this problem==
Line 16: Line 19:
* [[Coding]]
* [[Coding]]


{{CategoryDeveloper}}
[[Category:Security]]
[[Category:Security]]

Latest revision as of 07:27, 6 May 2022

Important:

This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date.

Why not view this page on the new site and help us to migrate more content to the new site!


This page forms part of the Moodle security guidelines.

What is the danger?

"Session Fixation is an attack that permits an attacker to hijack a valid user session. (...) . The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. (...) The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in. " (OWASP - Session fixation)

How Moodle avoids this problem

What you need to do in your code

What you need to do as an administrator

See also