Session Fixation
Security Misconfiguration
Category: Security Misconfiguration
Severity: Medium
Description
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existing session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim’s browser use it.
Once the attacker has a valid session ID, they can trick the victim into using that session ID.
This can be done by sending the victim a link that contains the session ID or by embedding the session ID in a malicious email.
Impact
Account Takeover
Remediation
While session fixation attacks are not easy to perform except in the most trivial cases, they are also not easy to completely eliminate. Prevention depends on treating the session ID as highly sensitive data and combining multiple safeguards as a defense-in-depth session management strategy to ensure that attackers can’t access or guess the identifier. The application must also be careful about the values it generates and accepts.
Here is a non-exhaustive list of common techniques for session fixation protection:
Use cookies marked as
HttpOnlyandSecureto set and store session identifiersNever use
GETorPOSTvariables to transmit session IDsAccept only server-generated IDs
Set a time limit for old session IDs
Generate a new session ID for each request
Reference
Last updated