Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5328

Setting session IDs is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure the session ID being set is cryptographically secure and not user-supplied.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, Java
    • Covered Languages:
      PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources, Test Sources
    • CWE:
      CWE-384
    • OWASP:
      A6

      Description

      Setting session IDs is security-sensitive. Dynamically setting session IDs with client-supplied data or insecure hashes may lead to session fixation attacks and may allow an attacker to hijack another user's session.

      Ask Yourself Whether

      • the session ID is not unique
      • the session ID is set from an hidden field of a web form
      • the session ID is relying on a non secure cryptographically hash

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Don't manually generate session IDs, use instead PHP's native functionality such as session_regenerate_id().
      • If you must generate your own IDs, use a cryptographically secure method, like bin2hex(random_bytes(16))

      Sensitive Code Example

      session_id(customHash($user));
      // or
      session_id($_POST["hidden_session_id"]);
      

      Compliant Solution

      session_regenerate_id();
      // or
      $sessionId = bin2hex(random_bytes(16));
      session_id($sessionId);
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nicolas.harraudeau Nicolas Harraudeau
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: