Session Fixation
What is Session Fixation?
Session FixationAn attack in which the adversary plants a known session identifier in the victim's browser before login, so it remains valid for the attacker after authentication.
Session fixation exploits applications that keep the same session identifier across the unauthenticated-to-authenticated transition. The attacker first obtains or sets a session ID — for example by inviting the victim through a crafted link with a 'JSESSIONID' parameter or by injecting a cookie — and waits for the victim to log in. Because the server reuses the fixed ID for the authenticated session, the attacker can now access the victim's account. The canonical defence is to invalidate any pre-login session and issue a brand-new, cryptographically random session ID upon successful authentication, ideally on cookies set with 'HttpOnly', 'Secure' and 'SameSite'. Rejecting session IDs supplied via URL parameters and binding sessions to client attributes adds further hardening.
● Examples
- 01
Attacker emails a link with '?sid=abc' that pre-sets a session cookie, then reuses 'abc' after the victim logs in.
- 02
Hosting platform shares a session ID between subdomains, letting a compromised subdomain fix the main app's session.
● Frequently asked questions
What is Session Fixation?
An attack in which the adversary plants a known session identifier in the victim's browser before login, so it remains valid for the attacker after authentication. It belongs to the Application Security category of cybersecurity.
What does Session Fixation mean?
An attack in which the adversary plants a known session identifier in the victim's browser before login, so it remains valid for the attacker after authentication.
How do you defend against Session Fixation?
Defences for Session Fixation typically combine technical controls and operational practices, as detailed in the full definition above.