Session fixation

abalfazl · Joined: 15 Feb 2005 Posts: 68

I think that the best way is that you save session ID in database and check if any session ID duplicate,send a warning for admin and regenerate session ID,It is the best way.

say we have a database that session ID of each user is saved there.

When a hacker steals session ID of another user and enter the site,Then there will be two same session ID in database

Does it make sense?

of course, It is said that it is possible prevent this attack by a token:
[PHP]
<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>[/PHP]

One comment about that code is:
Via the URL or POST yes. It doesn't prevent session hijacking, it simply makes it harder because it's one extra piece of information you need. You're effectively passing an authentication token around in all requests... which would be fairly easy to sniff.

But I don't understand...

Please explain for me,I disturb,

We create a session ID and a token for a User ,Then token is in session array with a special session ID.
A hacker steals Session Id of user and enters the site,

Now what would happen next?Can a hacker find the token?

I think Token is saved in server and do not transfer through the Network. Right?

Then How a hacker can access the to the token?