This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - Session Fixation

Revision as of 11:28, 22 July 2013 by James Landis (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

Session Fixation

Root Cause Summary

An attacker can force a victim to use a session ID that is already known to the attacker; if the application does not change the ID when the privileges associated with the session change, the attacker then has access to those privileges via the known session ID.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution

The framework must not create new sessions using session IDs supplied by the HTTP client.

The framework must discard an existing session ID and generate a new token for a session any time the privilege level of the session changes. Examples of privileges changing include:

  • A user logging in after starting an anonymous session
  • An administrator authorizing access to secure features during a session where only user-level privileges are being used
  • A user switching to a different user account during an active session with another account
  • An anonymous user submitting sensitive data which will be stored in session state and later echoed back to the user

Custom Framework Solution


Custom Code Solution


Discussion / Controversy



Session Management Cheat Sheet

OWASP Session Fixation Page

Session Fixaction (WASC)