13

I'm wondering if regenerating the session id after a successful login really a good practice and not just sort of a cargo cult behavior.

If I understand the theory correctly it should prevent session hijacking (or at least make it harder), but I can't really see that if someone could steal the pre-login session what would stop the phisher doing it again with the regenerated one.

I'm not focusing on Spring (I don't even use Java currently), I'm interested in the pros and cons.

Wabbitseason
  • 5,641
  • 9
  • 49
  • 60

2 Answers2

9

Yes. You should regenerate the session on login, to help defend against session fixation and login CSRF.

See OWASP's recommendation for more.

D.W.
  • 3,382
  • 7
  • 44
  • 110
  • even after regenerating the session ID its value would be residing in browser cookie.It can be copied and replayed if the user has access..isnt it right? – techie_28 Jun 28 '17 at 07:54
  • 5
    @techie_28 If the attacker can access read the victim's cookies - then yes. But regenerating IDs does not protect against that, but rather against session fixation: suppose an attacker sets your session ID and you log-in, they know now the session ID of an authenticated user. If the application regenerates the ID on log-in, they don't. – Stephen Harris Aug 29 '17 at 22:02
8

You regenerate to prevent session hijacking when the pre-login is http and the post-login is https. That is what stops the attacker doing it again with the regenerated one.

It is relatively easy to steal a session identifier for an http session, assuming you are near the victim, or in the path somewhere, or have phished etc - and if this session identifier is also viable in the encrypted session it can make the attacker's job quite easy.

Rory Alsop
  • 1,441
  • 25
  • 38
  • So if a site doesn't use https then a new session id wouldn't enchance security? – Wabbitseason May 28 '11 at 07:05
  • @Wabbitseason - well, it could a small amount - mostly because whenever you regenerate the session identifier it reduces the threat of replay attacks, but its significance is greatly reduced. – Rory Alsop May 28 '11 at 08:12
  • 1
    @RoryAlsop The regenerated session id would also be stored in the browser cookie.If this cookie is copied and replayed in another browser then it would be like as if the actual user has logged in. isnt it? – techie_28 Jun 20 '17 at 10:08