Session Fixation

80 views
Skip to first unread message

Liege Kluppel

unread,
Mar 3, 2023, 11:50:54 AM3/3/23
to Keycloak Dev
We use Keycloak as our IAM which does identity brokering with external auth server. During a VA test an issue was raised regarding the session ID. The session ID is being reused upon consecutive logins: An AUTH_SESSION_ID cookie is generated with an specific value when user hits the openid-connect/auth link which redirects to an external authentication provider. After authenticating to the external provider, user gets redirected back to our application and the AUTH_SESSION_ID value is not refreshed at this page.This can cause applications to be manipulated to forge advanced attacks such as Session Fixation, allowing the attacker to set an arbitrary session cookie on the client's browser. To prevent that, the session token should change upon consecutive logins.In Keycloak's documentation it says that "SessionFixationProtectionStrategy is currently not supported" but there is no advice how to deal with the session fixation risk in this setup.Can someone advise on how we can deal with this and change the session ID upon consecutive logins?

Kannan Rasappan

unread,
Mar 10, 2023, 10:35:21 AM3/10/23
to Keycloak Dev
Dear RedHat team or community
Are there any RedHat tickets on this topic? If so please guide us.

Liege Kluppel

unread,
Apr 18, 2023, 1:21:08 PM4/18/23
to Keycloak Dev
We came up with a workaround to mitigate this risk, as follows:

    1. Generate a new custom session ID (custom_session_id) on login. A custom Authenticator can be created in Keycloak, which will generate this custom session ID for each login attempt.
    2. This custom_session_id cookie will be created and returned on the authResponse method (step 7 of below sequence diagram).
    3. The value of the custom_session_id cookie created in step 2 will be added as an Auth Session Note of the authentication session.
    4. During the custom authentication (step 11 of below sequence diagram), the custom_session_id cookie value sent in the request will be validated against the custom_session_id value stored in the Auth Session Note.
    5. If its value is the same as the one setup in step 2, then the flow continues successfully. Otherwise, an error will be returned.

Below is the sequence diagram proposed solution based on our authentication flow implementation:

authflow.png
Reply all
Reply to author
Forward
0 new messages