This article is a part of our Web Security Knowledge Base (back to index)

Why Session Fixation can be dangerous

Session Fixation allows the attacker to hijack a user's session. This can be achieved by fixing session ID for the victim and later on using it for the purpose of authentication. Then the attacker is able to perform any action on behalf of the attacked user.

This issue can occur:

with a login URL (where the user authenticates). The URL might be provided by an attacker along with a fixed session ID. The attacker is then able to assume the identity of the victim using the given session ID.

with a non-login page. In this case the attacker may only be able to track unauthenticated user’s actions.

on a cookie field or a form field (POST parameter). Some other vulnerability may be needed in order to set the cookie field on the victim’s browser and exploit the issue.

How to fix Session Fixation

Enforce strict Session IDs allocated only upon successful authentication.

Every time the authentication is successful a new session ID should be generated, even if the session is already there.

Do not use url based session IDs. Switch to cookie or form based implementation, as they usually require other vulnerabilities to be exploitable.

Create a mechanism of destroying old sessions both on the server and on the client.

Ensure that your logout functionality properly destroys all previous sessions.

Bind session with some other data, like SSL certificate or IP.

Introduce session timeout.

How does ScanRepeat report Session Fixation

ScanRepeat identifies Session Fixation vulnerabilities with cookie fields, url fields and session IDs built into the url path. It reports every occurrence of such a vulnerability providing its URL

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free