Session hijacking is one of the many security exploits a website or web application can have. Session hijacking is when an attacker steals the session ID of a valid user and uses this session ID to send fraudulent request to the server and grant unauthorized access.
A simple session ID regeneration when user privileges change (from regular visitor to logged in user for example) can prevent this. This is often overlooked or forgotten hence a nice reminder. It is one of the several methods to prevent session hijacking and session fixation.
Uncomment the line
session_regenerate_id(true);
in index.php and logout.php and see how session ID changes every time you login and logout from the system. This makes it difficult for the attacker to exploit the stolen session ID.
Here are screenshots of successfully performed session hijacking and granting unauthorized access. I'm using Postman to send requests with the hijacked session ID.
1
2
3 Now let's login using admin/admin as username/password combination (notice how the session ID is the same all the time)
4 Sending request via Postman this time. Notice the session ID is different since this is a different request and we're not allowed to view the admin page.
5
6
7 We send the request again and this time we see the admin page
