# Session Fixation (CWE-384)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

**Stack:** Python

- Prevalence: Moyenne 3 langages couverts
- Impact: Élevé 3 règles de sévérité élevée
- Prevention: Documentée 3 exemples de correctifs

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

## Prevention

Stratégies de prévention pour Session Fixation basées sur 1 règles de détection Shoulder.

### Key Practices

- Use a session ID that the attacker already knows

### Python

Regenerate the session ID immediately after successful authentication

## Warning Signs

- [HIGH] missing session regeneration after authentication, which enables session
fixation attacks

## Consequences

- Obtenir des privilèges
- Contourner le mécanisme de protection

## Mitigations

- Régénérez les identifiants de session après une authentification réussie
- Invalidez les anciennes sessions lors de la création de nouvelles
- Utilisez des bibliothèques sécurisées de gestion de session

## Detection

- Total rules: 3
- Languages: javascript, typescript, go, python

## Rules by Language

### Python (1 rules)

- **Session Fixation Vulnerability** [HIGH]: Detects missing session regeneration after authentication, which enables session
fixation attacks.

Session fixation is a serious authentication vulnerability where an attacker forces
a victim to use a session ID that the attacker already knows. The attack works like this:

1. Attacker obtains a valid session ID (e.g., by visiting the login page)
2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.)
3. Victim logs in, and the pre-known session ID be
  - Remediation: Regenerate the session ID after successful authentication.

```python
from flask import session, request, redirect
from flask_login import login_user

def regenerate_session():
    data = dict(session)
    session.clear()
    session.update(data)

@app.route('/login', methods=['POST'])
def login():
    user = User.query.filter_by(username=request.form['username']).first()
    if user and check_password(user.password, request.form['password']):
        regenerate_session()  # Regenerate BEFORE login
        login_user(user)
        return redirect('/dashboard')
    return 'Invalid credentials', 401
```

Learn more: https://shoulder.dev/learn/python/cwe-384/session-fixation