# Session Fixation (CWE-384)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

- Prevalence: 보통 3개 언어 지원
- Impact: 높음 3개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

## Prevention

3개의 Shoulder 탐지 규칙을 기반으로 한 Session Fixation 예방 전략.

### Key Practices

- Use predictable values or cookies lack Secure/HttpOnly flags
- Use a session ID that the attacker already knows

### JavaScript

Configure sessions with environment-based secrets and secure cookie flags

### Go

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

### Python

Regenerate the session ID immediately after successful authentication

## Warning Signs

- [HIGH] Session configuration has security vulnerabilities
- [HIGH] insecure session configuration including weak secrets, insecure cookies, and missing security flags
- [HIGH] Session management has security weaknesses
- [HIGH] missing session regeneration after authentication, which enables session
fixation attacks

## Consequences

- 권한 획득
- 보호 메커니즘 우회

## Mitigations

- 인증에 성공한 후 세션 ID를 재생성하세요
- 새 세션을 생성할 때 이전 세션을 무효화하세요
- 안전한 세션 관리 라이브러리를 사용하세요

## Detection

- Total rules: 3
- Languages: javascript, typescript, go, python

## Rules by Language

### Javascript (1 rules)

- **Express Insecure Session Configuration** [HIGH]: Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.
  - Remediation: Configure sessions with secure settings and environment-based secrets.

```javascript
const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production',
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 1000 * 60 * 60 * 24
  },
  resave: false,
  saveUninitialized: false
}));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-384/express-session-configuration

### Typescript (1 rules)

- **Express Insecure Session Configuration** [HIGH]: Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.
  - Remediation: Configure sessions with secure settings and environment-based secrets.

```javascript
const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production',
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 1000 * 60 * 60 * 24
  },
  resave: false,
  saveUninitialized: false
}));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-384/express-session-configuration

### Go (1 rules)

- **Insecure Session Management** [HIGH]: Session IDs use predictable values or cookies lack Secure/HttpOnly flags.
  - Remediation: Use crypto/rand for session IDs and set secure cookie flags.

```go
b := make([]byte, 32)
rand.Read(b)
sessionID := base64.URLEncoding.EncodeToString(b)

http.SetCookie(w, &http.Cookie{
    Name:     "session_id",
    Value:    sessionID,
    HttpOnly: true,
    Secure:   true,
    SameSite: http.SameSiteStrictMode,
})
```

Learn more: https://shoulder.dev/learn/go/cwe-384/insecure-session-management

### Python (1 rules)

- **Session Fixation Vulnerability** [HIGH]: Detects missing session regeneration after authentication, which enables session
fixation attacks.

Session fixation is a serious authentication vulnerability where an attacker forces
a victim to use a session ID that the attacker already knows. The attack works like this:

1. Attacker obtains a valid session ID (e.g., by visiting the login page)
2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.)
3. Victim logs in, and the pre-known session ID be
  - Remediation: Regenerate the session ID after successful authentication.

```python
from flask import session, request, redirect
from flask_login import login_user

def regenerate_session():
    data = dict(session)
    session.clear()
    session.update(data)

@app.route('/login', methods=['POST'])
def login():
    user = User.query.filter_by(username=request.form['username']).first()
    if user and check_password(user.password, request.form['password']):
        regenerate_session()  # Regenerate BEFORE login
        login_user(user)
        return redirect('/dashboard')
    return 'Invalid credentials', 401
```

Learn more: https://shoulder.dev/learn/python/cwe-384/session-fixation