Session fixation is an attack technique where an adversary forces a victim's browser to use a session identifier that the attacker already knows. If the application does not issue a new session ID upon authentication, the attacker can use the pre-set session ID to access the victim's authenticated session after they log in, effectively hijacking their account.
How It Works
The attack unfolds in three stages. First, the attacker obtains a valid session identifier from the target application by simply visiting the site and receiving a session cookie. Second, the attacker forces the victim's browser to adopt this known session ID. This can be accomplished through several methods: injecting a Set-Cookie header via a cross-site scripting vulnerability, using a meta tag or JavaScript on a controlled page, exploiting a related subdomain to set cookies for the parent domain, or including the session ID in a crafted URL if the application supports URL-based session tokens.
Third, the victim authenticates to the application. If the application does not regenerate the session identifier upon successful login, the pre-login session ID remains active and is now associated with the authenticated user. The attacker, who knows this session ID, can use it to access the application as the victim without ever needing their credentials.
The vulnerability exists because the application trusts session identifiers from unauthenticated contexts. A secure implementation invalidates the old session and generates a completely new session identifier whenever the authentication state changes, whether through login, logout, privilege elevation, or role change. This ensures that any pre-existing session token becomes worthless after the user authenticates.
Why It Matters
Session fixation is a straightforward path to account takeover that exploits a common oversight in session management. Many applications correctly generate random session IDs and transmit them securely but fail to regenerate them at authentication boundaries. Security assessments specifically test whether session IDs change after login, because this single check determines whether the application is vulnerable to fixation attacks that bypass the entire authentication mechanism.
Need your application tested? Get in touch.