Session Fixation (CWE-384) - Security Vulnerability

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session.

Prevalence

Medium

3 languages covered

Impact

High

3 high-severity rules

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Session Fixation based on 3 Shoulder detection rules.

🟨 JavaScript View all JavaScript details →

Express Insecure Session Configuration HIGH

Configure sessions with environment-based secrets and secure cookie flags

+9 -3 javascript

  app.use(session({
-   secret: 'keyboard cat',
-   resave: true,
-   saveUninitialized: true
+   secret: process.env.SESSION_SECRET,
+   cookie: {
+     secure: process.env.NODE_ENV === 'production',
+     httpOnly: true,
+     sameSite: 'strict',
+     maxAge: 1000 * 60 * 60 * 24
+   },
+   resave: false,
+   saveUninitialized: false
  }));

🐹 Go View all Go details →

Insecure Session Management HIGH

Use crypto/rand for session IDs with Secure, HttpOnly, and SameSite cookie flags

+10 -4 go

  func createSession(w http.ResponseWriter, r *http.Request) {
-     sessionID := fmt.Sprintf("%d", time.Now().Unix())
-     http.SetCookie(w, &http.Cookie{
-         Name:  "session_id",
-         Value: sessionID,
+     b := make([]byte, 32)
+     rand.Read(b)
+     sessionID := base64.URLEncoding.EncodeToString(b)
+     http.SetCookie(w, &http.Cookie{
+         Name:     "session_id",
+         Value:    sessionID,
+         HttpOnly: true,
+         Secure:   true,
+         SameSite: http.SameSiteStrictMode,
+         MaxAge:   3600,
      })
  }

🐍 Python View all Python details →

Session Fixation Vulnerability HIGH

Regenerate the session ID immediately after successful authentication

+10 -4 python

  from flask import session, request
  from flask_login import login_user
  
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
+ def regenerate_session():
+     data = dict(session)
+     session.clear()
+     session.update(data)
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     user = User.query.filter_by(username=request.form['username']).first()
+     if user and check_password(user.password, request.form['password']):
+         regenerate_session()
          login_user(user)
          return redirect('/dashboard')

Key Practices

Use predictable values or cookies lack Secure/HttpOnly flags
Use a session ID that the attacker already knows

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Session Fixation patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=384

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🟨 Javascript 1 rules

Express Insecure Session Configuration HIGH

Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.

🔷 Typescript 1 rules

Express Insecure Session Configuration HIGH

Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.

🐹 Go 1 rules

Insecure Session Management HIGH

Session IDs use predictable values or cookies lack Secure/HttpOnly flags.

🐍 Python 1 rules

Session Fixation Vulnerability HIGH

Detects missing session regeneration after authentication, which enables session fixation attacks. Session fixation is a serious authentication vulnerability where an attacker forces a victim to use a session ID that the attacker already knows. The attack works like this: 1. Attacker obtains a valid session ID (e.g., by visiting the login page) 2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.) 3. Victim logs in, and the pre-known session ID becomes authenticated 4. Attacker uses the same session ID to hijack the victim's authenticated session Why this matters: - Attackers can gain full access to victim accounts without knowing credentials - Session tokens are often long-lived, giving attackers extended access windows - The attack is invisible to the victim who authenticated normally - Multi-factor authentication may be bypassed since attacker rides on legitimate auth Always regenerate session IDs immediately after successful authentication to invalidate any pre-existing session tokens an attacker might possess.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Session Fixation vulnerabilities. Look for these during code reviews and security audits.

🟠

Session configuration has security vulnerabilities express-insecure-session

🟠

insecure session configuration including weak secrets, insecure cookies, and missing security flags express-insecure-session

🟠

Session management has security weaknesses go-insecure-session-management

🟠

missing session regeneration after authentication, which enables session fixation attacks python-session-fixation

🔍

Scan your codebase for Session Fixation

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules