# Insecure Session Management

- ID: go-insecure-session-management
- Severity: HIGH
- CWE: Session Fixation (CWE-384)
- Languages: Go

## Description

Session IDs use predictable values or cookies lack Secure/HttpOnly flags.

## Detection Message

Session management has security weaknesses

## Remediation

Use crypto/rand for session IDs and set secure cookie flags.

```go
b := make([]byte, 32)
rand.Read(b)
sessionID := base64.URLEncoding.EncodeToString(b)

http.SetCookie(w, &http.Cookie{
    Name:     "session_id",
    Value:    sessionID,
    HttpOnly: true,
    Secure:   true,
    SameSite: http.SameSiteStrictMode,
})
```

Learn more: https://shoulder.dev/learn/go/cwe-384/insecure-session-management

## Documentation

[object Object]

## Related Rules

- **Express Insecure Session Configuration** [HIGH]: 
- **Session Fixation Vulnerability** [HIGH]: