Session Management / Session Fixation

Description

Session Fixation (CWE-384) is a web security vulnerability that occurs when an attacker forces a user's web browser to authenticate to a web site using a fixed session ID. This type of attack is particularly dangerous as it allows an attacker to hijack a user's authenticated session and gain access to confidential information. The attack can be performed on both Web and API applications.

Risk

Session Fixation is a high-severity vulnerability that can result in the unauthorized access of confidential information and data, as well as the ability to perform malicious actions. The risk assessment of this vulnerability is high and the consequences can be severe.

Solution

The best way to protect against Session Fixation is to ensure that each user is issued a new session identifier (ID) when they authenticate to the application. This can be done by using secure tokens, random numbers, or a combination of both. This ensures that the session ID cannot be guessed or predicted, which prevents an attacker from hijacking the user's session. Additionally, applications should always validate the session identifier each time a user makes a request.