If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length …) an attacker may be able to
hijack another user’s session.
Ask Yourself Whether
- the session ID is not unique.
- the session ID is set from a user-controlled input.
- the session ID is generated with not secure pseudo random generator.
- the session ID length is too short.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Don’t manually generate session IDs, use instead language based native functionality.
Sensitive Code Example
session_id(bin2hex(random_bytes(4))); // Sensitive: 4 bytes is too short
session_id($_POST["session_id"]); // Sensitive: session ID can be specified by the user
Compliant Solution
session_regenerate_id(); ; // Compliant
session_id(bin2hex(random_bytes(16))); // Compliant
See
