Session Fixation Demo
Current Session ID: 2d175d9a777f2d8f0813e34bcedeb604
Session data:
Array ( )
Cookie params:
Array
(
[lifetime] => 0
[path] => /
[domain] =>
[secure] =>
[httponly] =>
[samesite] =>
)
Note: HttpOnly is NOT SET
Note: Secure is NOT SET
Note: SameSite is
Session Fixation Attack
- Attacker crafts URL with session ID:
http://victim.com/session.php?PHPSESSID=attacker_session_id
- Victim clicks link — session ID is set
- Victim logs in — session ID stays the same (no regeneration)
- Attacker uses same session ID → authenticated session!
Test
Set your session ID:
Then login and check if the session ID stays the same:
# 1. Set session ID curl -c /tmp/cookies.txt "http://localhost/session.php?PHPSESSID=my_evil_session" # 2. Login (session should regenerate, but it doesn't) curl -b /tmp/cookies.txt -c /tmp/cookies.txt -X POST -d "uname=test&pass=test" "http://localhost/login.php" # 3. Check session ID curl -b /tmp/cookies.txt "http://localhost/session.php"
Additional Session Issues
- No HttpOnly flag: JavaScript can access session cookie
- No Secure flag: Session cookie sent over HTTP
- Predictable session ID: PHP default is random but can be set externally
- Session data in URL: Session ID accepted via GET parameter