CWE-384

Session Fixation

AI Translation Available

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Status

incomplete

Abstraction

compound

Affected Platforms

Web Based Web Server

Extended Description

AI Translation

Such a scenario is commonly observed when:

- A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.

- An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.

- The application or container uses predictable session identifiers.

In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.

Technical Details

AI Translation

Common Consequences

access control

Impacts

gain privileges or assume identity

Potential Mitigations

Phases:

architecture and design operation

Descriptions:

• For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

• Invalidate any existing session identifiers prior to authorizing a new user session.

• Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

AI Generated Translation

Common Consequences

controllo degli accessi

Impacts

ottenere privilegi o assumere identità

Potential Mitigations

Phases:

architettura e design operazione

Descriptions:

• Per piattaforme come ASP che non generano nuovi valori per i cookie sessionid, utilizza un cookie secondario. In questo approccio, imposta un cookie secondario nel browser dell'utente con un valore casuale e imposta una variabile di sessione con lo stesso valore. Se la variabile di sessione e il valore del cookie non corrispondono mai, invalida la sessione e costringe l'utente a effettuare nuovamente l'accesso.

• Invalidare eventuali identificatori di sessione esistenti prima di autorizzare una nuova sessione utente.

• Utilizzare un firewall applicativo in grado di rilevare attacchi contro questa vulnerabilità. Può essere utile nei casi in cui il codice non possa essere corretto (perché controllato da una terza parte), come misura di prevenzione d'emergenza mentre vengono adottate misure di garanzia del software più complete, o per fornire una difesa in profondità [REF-1481].

CWE-384

Common Consequences

Impacts

Potential Mitigations

Common Consequences

Impacts

Potential Mitigations

Iscriviti alla newsletter