OWASP Periodic Table of Vulnerabilities - Session Fixation

Return to Periodic Table Working View

Root Cause Summary
An attacker can force a victim to use a session ID that is already known to the attacker; if the application does not change the ID when the privileges associated with the session change, the attacker then has access to those privileges via the known session ID.

Browser / Standards Solution
None

Perimeter Solution
None

Generic Framework Solution
The framework must not create new sessions using session IDs supplied by the HTTP client.

The framework must discard an existing session ID and generate a new token for a session any time the privilege level of the session changes. Examples of privileges changing include:
 * A user logging in after starting an anonymous session
 * An administrator authorizing access to secure features during a session where only user-level privileges are being used
 * A user switching to a different user account during an active session with another account
 * An anonymous user submitting sensitive data which will be stored in session state and later echoed back to the user

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
None