What is the best mitigation approach against session fixation attacks?
- Ensure that the session ID uses at least 64 bits of characters.
- Ensure that the session ID is used after a user completes authentication.
- Ensure that the session ID is exchanged only though an encrypted channel.
- Ensure that the session ID changes from the default session name used by the web application framework.
|
Explanation & Hint: It is critical to encrypt an entire web session, not only for the authentication process of exchanging user credentials but also to ensure that the session ID is exchanged only through an encrypted channel. Using an encrypted communication channel also protects the session against some session fixation attacks, in which the attacker can intercept and manipulate the web traffic to inject (or fix) the session ID on the web browser used by the user. |