Session Fixation

Session Fixation allows the attacker to hijack a user's session. This can be achieved by fixing session ID for the victim and later on using it for the purpose of authentication. Then the attacker is able to perform any action on behalf of the attacked user.

This issue can occur:

with a login URL (where the user authenticates). The URL might be provided by an attacker along with a fixed session ID. The attacker is then able to assume the identity of the victim using the given session ID.

with a non-login page. In this case the attacker may only be able to track unauthenticated user’s actions.

on a cookie field or a form field (POST parameter). Some other vulnerability may be needed in order to set the cookie field on the victim’s browser and exploit the issue.

Enforce strict Session IDs allocated only upon successful authentication.

Every time the authentication is successful a new session ID should be generated, even if the session is already there.

Do not use url based session IDs. Switch to cookie or form based implementation, as they usually require other vulnerabilities to be exploitable.

Create a mechanism of destroying old sessions both on the server and on the client.

Ensure that your logout functionality properly destroys all previous sessions.

Bind session with some other data, like SSL certificate or IP.

Introduce session timeout.

ScanRepeat identifies Session Fixation vulnerabilities with cookie fields, url fields and session IDs built into the url path. It reports every occurrence of such a vulnerability providing its URL