[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Session Fixation

ID: 384Date: (C)2012-05-14   (M)2017-11-08
Type: compound elementStatus: INCOMPLETE
Abstraction Type: Base





Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Gain privileges / assume identity
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Invalidate any existing session identifiers prior to authorizing a new user session.
 
  
Architecture and Design
 
 For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
 
  

Relationships

Related CWETypeViewChain
CWE-384 Requires CWE-441 Weakness CWE-1000  

Demonstrative Examples   (Details)

  1. The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().
  2. The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the j_security_check, which typically does not invalidate the existing session before processing the login request.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Session Fixation
 
 
OWASP Top Ten 2004 A3
 
Broken Authentication and Session Management
 
CWE_More_Specific
 
WASC 37
 
Session Fixation
 
 

References:
None

© 2013 SecPod Technologies