The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

■

Attacking Other Users

token. This applies both to a successful login and to cases where an anonymous

user first submits personal or other sensitive information.

As a defense-in-depth measure to further protect against session fixation

attacks, many security-critical applications employ per-page tokens to supple-

ment the main session token. This technique can frustrate most kinds of ses-

sion hijacking attacks — see Chapter 7 for further details.

The application should not accept arbitrary session tokens that it does not

recognize as having issued itself. The token should be immediately canceled

within the browser, and the user should be returned to the start page of the

application.