# Session Fixation (CWE-384)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

**Stack:** Go

- Prevalence: 보통 3개 언어 지원
- Impact: 높음 3개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Session Fixation 예방 전략.

### Key Practices

- Use predictable values or cookies lack Secure/HttpOnly flags

### Go

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

## Warning Signs

- [HIGH] Session management has security weaknesses

## Consequences

- 권한 획득
- 보호 메커니즘 우회

## Mitigations

- 인증에 성공한 후 세션 ID를 재생성하세요
- 새 세션을 생성할 때 이전 세션을 무효화하세요
- 안전한 세션 관리 라이브러리를 사용하세요

## Detection

- Total rules: 3
- Languages: javascript, typescript, go, python

## Rules by Language

### Go (1 rules)

- **Insecure Session Management** [HIGH]: Session IDs use predictable values or cookies lack Secure/HttpOnly flags.
  - Remediation: Use crypto/rand for session IDs and set secure cookie flags.

```go
b := make([]byte, 32)
rand.Read(b)
sessionID := base64.URLEncoding.EncodeToString(b)

http.SetCookie(w, &http.Cookie{
    Name:     "session_id",
    Value:    sessionID,
    HttpOnly: true,
    Secure:   true,
    SameSite: http.SameSiteStrictMode,
})
```

Learn more: https://shoulder.dev/learn/go/cwe-384/insecure-session-management