CWE-384

Session Fixation

Compound

Incomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

{"xhtml:p":["Such a scenario is commonly observed when:","In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session."],"xhtml:ul":[{"xhtml:li":["A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.","An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.","The application or container uses predictable session identifiers."]}]}

Parent Weaknesses (ChildOf)

CWE-610: Externally Controlled Referenc...

Related Weaknesses

CWE-346 (Requires)

CWE-472 (Requires)

CWE-441 (Requires)

Common Consequences

Scope

Access Control

Impact

Gain Privileges or Assume Identity

Potential Mitigations

Architecture and Design

Invalidate any existing session identifiers prior to authorizing a new user session.

Architecture and Design

For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

Operation

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CVE-2022-2820

Website software for game servers does not proprerly terminate user sessions, allowing for possible session fixation

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now