Why is this an issue?

Session IDs are used to identify a user session. They are usually stored in cookies, URL parameters, or hidden form fields.

If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length …​) an attacker may be able to hijack another user’s session.

If an application allows users to specify their own session ID (for example via URL parameters or form fields), an attacker may be able to set a known session ID for a victim user, and then hijack the victim’s session (session fixation attack).

How to fix it

Don’t manually generate session IDs, use instead language based native functionality. In PHP, use session_regenerate_id() to generate a new session ID, or use session_id() with a securely generated random value of sufficient length (at least 16 bytes).

Code Examples

Noncompliant Code Example

session_id(bin2hex(random_bytes(4))); // Noncompliant, 4 bytes is too short
session_id($_POST["session_id"]); // Noncompliant, session ID can be specified by the user

Compliant Solution

session_regenerate_id(); ; // Compliant
session_id(bin2hex(random_bytes(16))); // Compliant

Resources

• OWASP - Top 10 2021 Category A4 - Insecure Design
• OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• OWASP Sesssion Fixation
• CWE - CWE-330 - Use of Insufficiently Random Values
• CWE - CWE-340 - Generation of Predictable Numbers or Identifiers
• PHP: random_bytes()
• PHP: session_regenerate_id()
• STIG Viewer - Application Security and Development: V-222579 - Applications must use system-generated session identifiers that protect against session fixation.
• STIG Viewer - Application Security and Development: V-222582 - The application must not re-use or recycle session IDs.