# Session Fixation Vulnerability - ID: python-session-fixation - Severity: HIGH - CWE: Session Fixation (CWE-384) - Languages: Python - Frameworks: flask, django ## Description Detects missing session regeneration after authentication, which enables session fixation attacks. Session fixation is a serious authentication vulnerability where an attacker forces a victim to use a session ID that the attacker already knows. The attack works like this: 1. Attacker obtains a valid session ID (e.g., by visiting the login page) 2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.) 3. Victim logs in, and the pre-known session ID becomes authenticated 4. Attacker uses the same session ID to hijack the victim's authenticated session Why this matters: - Attackers can gain full access to victim accounts without knowing credentials - Session tokens are often long-lived, giving attackers extended access windows - The attack is invisible to the victim who authenticated normally - Multi-factor authentication may be bypassed since attacker rides on legitimate auth Always regenerate session IDs immediately after successful authentication to invalidate any pre-existing session tokens an attacker might possess. ## Remediation Regenerate the session ID after successful authentication. ```python from flask import session, request, redirect from flask_login import login_user def regenerate_session(): data = dict(session) session.clear() session.update(data) @app.route('/login', methods=['POST']) def login(): user = User.query.filter_by(username=request.form['username']).first() if user and check_password(user.password, request.form['password']): regenerate_session() # Regenerate BEFORE login login_user(user) return redirect('/dashboard') return 'Invalid credentials', 401 ``` Learn more: https://shoulder.dev/learn/python/cwe-384/session-fixation ## Documentation [object Object] ## Related Rules - **Express Insecure Session Configuration** [HIGH]: - **Insecure Session Management** [HIGH]: