Session fixation

Description

Session Fixation is a vulnerability that allows an attacker to hijack a user's authenticated session by forcing the victim to use a predetermined session identifier. This occurs when a web application accepts session IDs from user requests (such as URL parameters or cookies) and fails to generate a new session ID after successful authentication. The attacker tricks the victim into authenticating with a session ID already known to the attacker, then uses that same session ID to gain unauthorized access to the victim's authenticated session.

Remediation

Implement proper session management practices to prevent session fixation attacks:

1. Regenerate session IDs after authentication: Always create a new session identifier when a user successfully authenticates, invalidating any pre-existing session ID.

// Example (PHP)
session_start();
if (authenticate_user($username, $password)) {
    session_regenerate_id(true); // Delete old session
    $_SESSION['user_id'] = $user_id;
    $_SESSION['authenticated'] = true;
}

// Example (Java)
HttpSession oldSession = request.getSession(false);
if (oldSession != null) {
    oldSession.invalidate();
}
HttpSession newSession = request.getSession(true);
newSession.setAttribute("userId", userId);

2. Reject session IDs from URL parameters: Only accept session identifiers from secure cookies, never from GET parameters or other user-controllable sources.

3. Set secure cookie attributes: Use HttpOnly, Secure, and SameSite flags on session cookies to prevent client-side access and cross-site attacks.

4. Implement session validation: Bind sessions to additional factors such as IP address or User-Agent (with caution for legitimate changes) and validate these on each request.

References

Related Vulnerabilities