# Session Fixation (CWE-384)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

- Prevalence: Média 3 linguagens cobertas
- Impact: Alto 3 regras de severidade alta
- Prevention: Documentada 3 exemplos de correção

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

## Prevention

Estratégias de prevenção para Session Fixation baseadas em 3 regras de detecção do Shoulder.

### Key Practices

- Use predictable values or cookies lack Secure/HttpOnly flags
- Use a session ID that the attacker already knows

### JavaScript

Configure sessions with environment-based secrets and secure cookie flags

### Go

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

### Python

Regenerate the session ID immediately after successful authentication

## Warning Signs

- [HIGH] Session configuration has security vulnerabilities
- [HIGH] insecure session configuration including weak secrets, insecure cookies, and missing security flags
- [HIGH] Session management has security weaknesses
- [HIGH] missing session regeneration after authentication, which enables session
fixation attacks

## Consequences

- Obter privilégios
- Burlar mecanismo de proteção

## Mitigations

- Regenere os IDs de sessão após autenticação bem-sucedida
- Invalide sessões antigas ao criar novas
- Use bibliotecas seguras de gerenciamento de sessão

## Detection

- Total rules: 3
- Languages: javascript, typescript, go, python

## Rules by Language

### Javascript (1 rules)

- **Express Insecure Session Configuration** [HIGH]: Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.
  - Remediation: Configure sessions with secure settings and environment-based secrets.

```javascript
const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production',
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 1000 * 60 * 60 * 24
  },
  resave: false,
  saveUninitialized: false
}));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-384/express-session-configuration

### Typescript (1 rules)

- **Express Insecure Session Configuration** [HIGH]: Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.
  - Remediation: Configure sessions with secure settings and environment-based secrets.

```javascript
const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production',
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 1000 * 60 * 60 * 24
  },
  resave: false,
  saveUninitialized: false
}));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-384/express-session-configuration

### Go (1 rules)

- **Insecure Session Management** [HIGH]: Session IDs use predictable values or cookies lack Secure/HttpOnly flags.
  - Remediation: Use crypto/rand for session IDs and set secure cookie flags.

```go
b := make([]byte, 32)
rand.Read(b)
sessionID := base64.URLEncoding.EncodeToString(b)

http.SetCookie(w, &http.Cookie{
    Name:     "session_id",
    Value:    sessionID,
    HttpOnly: true,
    Secure:   true,
    SameSite: http.SameSiteStrictMode,
})
```

Learn more: https://shoulder.dev/learn/go/cwe-384/insecure-session-management

### Python (1 rules)

- **Session Fixation Vulnerability** [HIGH]: Detects missing session regeneration after authentication, which enables session
fixation attacks.

Session fixation is a serious authentication vulnerability where an attacker forces
a victim to use a session ID that the attacker already knows. The attack works like this:

1. Attacker obtains a valid session ID (e.g., by visiting the login page)
2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.)
3. Victim logs in, and the pre-known session ID be
  - Remediation: Regenerate the session ID after successful authentication.

```python
from flask import session, request, redirect
from flask_login import login_user

def regenerate_session():
    data = dict(session)
    session.clear()
    session.update(data)

@app.route('/login', methods=['POST'])
def login():
    user = User.query.filter_by(username=request.form['username']).first()
    if user and check_password(user.password, request.form['password']):
        regenerate_session()  # Regenerate BEFORE login
        login_user(user)
        return redirect('/dashboard')
    return 'Invalid credentials', 401
```

Learn more: https://shoulder.dev/learn/python/cwe-384/session-fixation