# Session Fixation (CWE-384) Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. **Stack:** Python - Prevalence: Medium 3 languages covered - Impact: High 3 high-severity rules - Prevention: Documented 3 fix examples **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description In a session fixation attack, the attacker sets a user's session ID to a known value before the user authenticates. After authentication, the attacker can use the known session ID to hijack the authenticated session. ## Prevention Prevention strategies for Session Fixation based on 1 Shoulder detection rules. ### Key Practices - Use a session ID that the attacker already knows ### Python Regenerate the session ID immediately after successful authentication ## Warning Signs - [HIGH] missing session regeneration after authentication, which enables session fixation attacks ## Consequences - Gain Privileges - Bypass Protection Mechanism ## Mitigations - Regenerate session IDs after successful authentication - Invalidate old sessions when creating new ones - Use secure session management libraries ## Detection - Total rules: 3 - Languages: javascript, typescript, go, python ## Rules by Language ### Python (1 rules) - **Session Fixation Vulnerability** [HIGH]: Detects missing session regeneration after authentication, which enables session fixation attacks. Session fixation is a serious authentication vulnerability where an attacker forces a victim to use a session ID that the attacker already knows. The attack works like this: 1. Attacker obtains a valid session ID (e.g., by visiting the login page) 2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.) 3. Victim logs in, and the pre-known session ID becomes authenticated 4. Attacker uses the same session ID to hijack the victim's authenticated session Why this matters: - Attackers can gain full access to victim accounts without knowing credentials - Session tokens are often long-lived, giving attackers extended access windows - The attack is invisible to the victim who authenticated normally - Multi-factor authentication may be bypassed since attacker rides on legitimate auth Always regenerate session IDs immediately after successful authentication to invalidate any pre-existing session tokens an attacker might possess. - Remediation: Regenerate the session ID after successful authentication. ```python from flask import session, request, redirect from flask_login import login_user def regenerate_session(): data = dict(session) session.clear() session.update(data) @app.route('/login', methods=['POST']) def login(): user = User.query.filter_by(username=request.form['username']).first() if user and check_password(user.password, request.form['password']): regenerate_session() # Regenerate BEFORE login login_user(user) return redirect('/dashboard') return 'Invalid credentials', 401 ``` Learn more: https://shoulder.dev/learn/python/cwe-384/session-fixation