Session Fixation Prevention
A defense against attacks where an adversary sets a known session ID for a victim, mitigated by regenerating the session ID upon authentication.
Description
Session fixation is an attack where an adversary establishes a valid session with the web application, then tricks the victim into authenticating with that known session ID. Once the victim logs in, the attacker can use the pre-set session ID to access the victim's authenticated session. This attack exploits applications that do not regenerate session identifiers after a change in authentication state.
The primary defense is straightforward: always regenerate the session ID whenever the user's privilege level changes, most importantly at login. The old session ID must be invalidated on the server side, and a new session ID must be issued to the client. This ensures that even if an attacker managed to fixate a session ID, it becomes useless once the user authenticates because a completely new session ID is created. Modern web frameworks generally handle this automatically, but it requires explicit configuration in some cases.
Additional defensive measures include refusing session IDs that the server did not generate (strict session validation), setting session cookies with the Secure and HttpOnly flags to prevent interception and JavaScript access, using the SameSite cookie attribute to prevent cross-site session injection, and implementing session binding to additional client properties. Never accept session IDs from URL parameters, as this is the most common fixation vector.
Prompt Snippet
Prevent session fixation by calling session.regenerate() or equivalent immediately after successful authentication, before writing any user data to the session. Invalidate the old session ID server-side in Redis/your session store. Reject any session IDs not found in the server-side store (strict mode). Configure session cookies with HttpOnly, Secure, SameSite=Strict, and never accept session IDs from query parameters or POST bodies. In Express.js, use express-session with resave: false and ensure req.session.regenerate() is called in the login handler.
Tags
Related Terms
Session Management
The practice of securely creating, maintaining, and destroying user sessions to track authenticated state across stateless HTTP requests.
Brute Force Protection
A set of defense mechanisms that detect and block automated high-volume authentication attempts aimed at guessing credentials through exhaustive trial.
Privilege Escalation Prevention
Security measures that prevent users from gaining unauthorized access to resources or functions beyond their assigned permissions, whether by elevating their own role or accessing other users' data.
Auth Middleware / Guards
Reusable middleware or guard components that intercept requests to enforce authentication and authorization policies before they reach route handlers.