Session Fixation

Description

Session Fixation is a vulnerability where an attacker forces a user to use a known session ID, allowing the attacker to hijack the session after the user logs in. This attack is possible when the application fails to issue a new session ID after authentication, enabling an attacker to set a session ID before login and then reuse it once the victim authenticates.

Additionally, if sessions remain valid after logout, attackers who obtain a valid session ID can continue accessing a user's account even after the user logs out. This happens when the application fails to invalidate sessions properly on logout, leaving them active for further use.

By exploiting session fixation, attackers can impersonate legitimate users, gaining unauthorized access to sensitive actions or personal data.

Examples

Setting a Fixed Session ID Before Login

  1. Attacker generates a session ID:

    GET /login
Set-Cookie: JSESSIONID=123456

  2. Attacker tricks the victim into using this session ID

    • By embedding the session ID in a phishing link:

      https://example.com/login;JSESSIONID=123456

    • By injecting a session ID in a cookie via Cross-Site Scripting (XSS).

  3. Victim logs in using the attacker's session ID

    • The session remains unchanged after login.

  4. Attacker now has access to the victim's authenticated session

    • Since the session ID remains the same before and after login, the attacker can use JSESSIONID=123456 to access the victim's account.

Session Remains Valid After Logout

Some applications fail to properly invalidate session tokens when a user logs out. In such cases:

  1. User logs in and gets a session token:

    Set-Cookie: sessionid=abcd1234; HttpOnly; Secure

  2. Attacker steals the session ID (e.g., via XSS, session fixation, or network sniffing).

  3. User logs out, expecting the session to be invalidated.

  4. Attacker reuses the same session token after logout:

    GET /dashboard
Cookie: sessionid=abcd1234
    • If the server does not invalidate the session properly, the attacker still has access.

Remediation

  1. Regenerate Session ID After Login

    • Immediately issue a new session ID upon authentication to prevent session fixation.

    • In PHP:

      session_regenerate_id(true);

    • In Java (Spring Security):

      http.sessionManagement().sessionFixation().newSession();

  2. Invalidate Session Properly on Logout

    • Ensure the session is fully destroyed on logout:

      session_destroy();

    • Remove session cookies in HTTP headers:

      Set-Cookie: sessionid=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly

  3. Set Secure Cookie Attributes

    • Use HttpOnly, Secure, and SameSite attributes to protect session cookies:

      Set-Cookie: JSESSIONID=abcd1234; HttpOnly; Secure; SameSite=Strict

  4. Implement Session Timeout and Expiry

    • Automatically expire inactive sessions to prevent hijacking.
    • Enforce session expiration after a fixed time (e.g., 30 minutes of inactivity).

  5. Restrict Session Sharing Across Devices

    • Implement device fingerprinting or IP binding to limit session use to the originating device.