This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - Session Fixation

Revision as of 16:29, 21 July 2013 by Jmanico (talk | contribs) (Created page with "Return to Periodic Table Working View == Insufficient Session Expiration == Session Fixation is...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

Insufficient Session Expiration

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack takes advantage of a limitation in the way the web application manages session IDs. When authenticating a user, an application vulnerable to session fixation does not assign a new session ID to the user, and instead recycle the current users anonymous session id.

The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the web server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in. There are several techniques to execute the attack; it depends on how the Web application deals with session tokens.

Root Cause Summary

Session fixation occurs when an anonymous session id is re-used (and not rotated) during authentication.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution

Most web application frameworks provide configuration settings for IDLE timeout.

Custom Framework Solution


Custom Code Solution

Most web frameworks are vulnerable to session fixation. If necessary, be sure to invalidate all existing sessions at login time before creating a new authenticated session for any user.

Discussion / Controversy



Session Management Cheat Sheet

OWASP Session Fixation Page