Session Management / Session Fixation

Description

Session fixation is enabled by the insecure practice of preserving the same value of the session cookies before and after authentication.

Risk

In the generic exploit of session fixation vulnerabilities, an attacker can obtain a set of session cookies from the target website without first authenticating. The attacker can then force these cookies into the victim’s browser using different techniques. If the victim later authenticates at the target website and the cookies are not refreshed upon login, the victim will be identified by the session cookies chosen by the attacker. The attacker is then able to impersonate the victim with these known cookies.

Solution

The best way to protect against Session Fixation is to ensure that each user is issued a new session identifier (ID) when they authenticate to the application. This can be done by using secure tokens, random numbers, or a combination of both. This ensures that the session ID cannot be guessed or predicted, which prevents an attacker from hijacking the user's session. Additionally, applications should always validate the session identifier each time a user makes a request.