Session Fixation

Session Fixation is an attack where the attacker sets or fixes a user's session ID before authentication. When the victim logs in using the fixed session, the attacker can use the same session ID to access the authenticated session.

How It Works

1. Attacker obtains a valid session ID from the application
   GET /login
   Response: Set-Cookie: sessionid=abc123

2. Attacker tricks victim into using this session
   - Send link: https://target.com/login?sessionid=abc123
   - Inject via XSS: document.cookie="sessionid=abc123"
   - Meta tag injection

3. Victim logs in with fixed session ID
   POST /login (sessionid=abc123)
   Username: victim
   Password: ******

4. Server authenticates victim under session abc123

5. Attacker accesses authenticated session
   GET /account (sessionid=abc123)
   → Logged in as victim!

Attack Vectors

• URL parameter with session ID
• Hidden form field
• Cookie injection via XSS
• Cookie injection via subdomain

Prevention

• Regenerate session ID on authentication (most important)
• Don't accept session IDs from URL parameters
• Bind sessions to client properties (IP, User-Agent)
• Set proper cookie flags (HttpOnly, Secure, SameSite)

Framework Protection

# Rails
reset_session  # Call after authentication

# PHP
session_regenerate_id(true);

# Django
request.session.cycle_key()

See Also

• Session Hijacking
• Cookie Security Flags
• Cross-Site Request Forgery