Session FixationID: 384 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: compound element | Status: INCOMPLETE |
Abstraction Type: Base |
Description
Authenticating a user, or otherwise establishing a new user
session, without invalidating any existing session identifier gives an attacker
the opportunity to steal authenticated sessions.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Invalidate any existing session identifiers prior to authorizing a new
user session. | | |
Architecture and Design | | For platforms such as ASP that do not generate new values for
sessionid cookies, utilize a secondary cookie. In this approach, set a
secondary cookie on the user's browser to a random value and set a
session variable to the same value. If the session variable and the
cookie value ever don't match, invalidate the session, and force the
user to log on again. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-384 Requires CWE-441 | Weakness | CWE-1000 | |
Demonstrative Examples (Details)
- The following example shows a snippet of code from a J2EE web
application where the application authenticates users with
LoginContext.login() without first calling
HttpSession.invalidate().
- The following example shows a snippet of code from a J2EE web
application where the application authenticates users with a direct post to
the
j_security_check
, which typically does not
invalidate the existing session before processing the login
request.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Session Fixation | |
OWASP Top Ten 2004 | A3 | Broken Authentication and Session
Management | CWE_More_Specific |
WASC | 37 | Session Fixation | |
References:None