# Session Fixation (CWE-384)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

**Stack:** JavaScript

- Prevalence: Średnia Pokryto 3 języków
- Impact: Wysoki 3 reguł o wysokim poziomie
- Prevention: Udokumentowane 3 przykładów poprawek

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

## Prevention

Strategie zapobiegania dla Session Fixation oparte na 1 regułach detekcji Shoulder.

### JavaScript

Configure sessions with environment-based secrets and secure cookie flags

## Warning Signs

- [HIGH] Session configuration has security vulnerabilities
- [HIGH] insecure session configuration including weak secrets, insecure cookies, and missing security flags

## Consequences

- Uzyskanie uprawnień
- Obejście mechanizmu ochrony

## Mitigations

- Po pomyślnym uwierzytelnieniu regeneruj identyfikatory sesji
- Tworząc nowe sesje, unieważniaj poprzednie
- Stosuj bezpieczne biblioteki zarządzania sesją

## Detection

- Total rules: 3
- Languages: javascript, typescript, go, python

## Rules by Language

### Javascript (1 rules)

- **Express Insecure Session Configuration** [HIGH]: Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.
  - Remediation: Configure sessions with secure settings and environment-based secrets.

```javascript
const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production',
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 1000 * 60 * 60 * 24
  },
  resave: false,
  saveUninitialized: false
}));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-384/express-session-configuration

### Typescript (1 rules)

- **Express Insecure Session Configuration** [HIGH]: Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.
  - Remediation: Configure sessions with secure settings and environment-based secrets.

```javascript
const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production',
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 1000 * 60 * 60 * 24
  },
  resave: false,
  saveUninitialized: false
}));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-384/express-session-configuration