Session fixation

Overview

In session fixation attacks an attacker coerces a user into establishing a session with a session id known to the attacker. Knowledge of the user’s session id gives the attacker access to the user’s account.

What makes a site vulnerable?

A website may be vulnerable to session fixation attacks if it accepts and uses previously unseen session ids. It may also be vulnerable if it makes inadequate checks that that subsequent use of the session id is made by the same user who established it.

Impact of the attack

Session fixation attacks give an attacker access to a user’s account. This may allow the attacker to perform a denial of service or gain on-going exclusive control over the user’s account access, through modification of the user’s.

Preventing the attack

At a minimum, the website should not accept unknown session ids and should instead generate a new session id when no known session id is supplied. The session id should also be changed whenever the user logs in or otherwise changes his access level. This ensures that even if the attacker is able to fix the initial session id with which the user accesses the site, it will be invalidated as soon as the user has logged in. Another method of preventing session fixation attacks is associating the session with information about the user, such as their IP address, browser type, etc. While not foolproof, it does provide additional obstacles to the attack.