Exercise 38: Insufficient Session Expiration

Objective

Learn how to exploit Insufficient Session Expiration vulnerabilities to hijack user sessions after logout or inactivity. Understand how to implement secure session management practices to mitigate this risk.

---

Scenario

You are evaluating a web application that allows users to log out but does not properly invalidate session tokens. This flaw enables an attacker to reuse an old session token and gain unauthorized access to the victim’s account.

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and session management.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• A code editor (e.g., VSCode, Sublime Text).
• Browser developer tools or Burp Suite for capturing session tokens.

Step 1: Create the Vulnerable Web Application

1. PHP Script for Login and Dashboard
   • Create a file login.php: <?php session_start(); $users = ["alice" => "alice123", "bob" => "bob123"]; if (isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; if (isset($users[$username]) && $users[$username] === $password) { $_SESSION['user'] = $username; header("Location: dashboard.php"); } else { echo "<h2>Invalid Credentials!</h2>"; } } ?> <h2>Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required><br> Password: <input type="password" name="password" required><br> <button type="submit" name="login">Login</button> </form>
2. PHP Script for Dashboard Access
   • Create a file dashboard.php: <?php session_start(); if (isset($_SESSION['user'])) { echo "<h2>Welcome, " . $_SESSION['user'] . "!</h2>"; echo "<a href='logout.php'>Logout</a>"; } else { echo "<h2>Access Denied. Please log in.</h2>"; echo "<a href='login.php'>Login</a>"; } ?>
3. PHP Script for Logout (Vulnerable)
   • Create a file logout.php: <?php session_start(); session_destroy(); header("Location: login.php"); ?>
4. Running the Application
   • Start the Apache server.
   • Place the files in the web server’s root directory (htdocs for XAMPP).
   • Open http://localhost/login.php in your browser.

---

Exploitation Steps

Step 1: Capturing the Session Token

1. Log in as alice using:
   • Username: alice
   • Password: alice123
2. Open browser developer tools → Application → Cookies.
3. Copy the session ID (PHPSESSID).

Step 2: Hijacking the Session Post-Logout

1. Log out by clicking Logout.
2. Open another browser window or use an incognito tab.
3. Manually set the stolen session ID (PHPSESSID) in the new session.
4. Access http://localhost/dashboard.php.

Expected Result:

• The attacker regains access to Alice’s dashboard despite the logout.

---

Solution and Prevention

Problem Analysis

• The session is not properly invalidated upon logout, allowing attackers to reuse session tokens.

Fixing the Vulnerability

1. Regenerate Session IDs on Login
   • Prevent session fixation: session_regenerate_id(true); $_SESSION['user'] = $username;
2. Properly Invalidate Session on Logout
   • Modify logout.php: <?php session_start(); $_SESSION = []; if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } session_destroy(); header("Location: login.php"); ?>
3. Implement Session Timeout
   • Auto-expire inactive sessions: if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 900)) { session_unset(); session_destroy(); } $_SESSION['LAST_ACTIVITY'] = time();
4. Use Secure and HttpOnly Cookies
   • Set cookie attributes in php.ini: session.cookie_httponly = 1 session.cookie_secure = 1 session.use_strict_mode = 1

---

Testing After Fix

1. Log in as Alice and capture the session ID.
2. Log out.
3. Attempt to reuse the session ID in a new browser window.

Expected Result:

• The server rejects the reused session, denying access to the dashboard.

---

Conclusion

In this lab, you exploited Insufficient Session Expiration to hijack a session after logout. You also learned how to prevent this vulnerability by properly invalidating sessions, regenerating session IDs, enforcing session timeouts, and securing session cookies.