What is Session Fixation?


2 min read


Session Fixation is one of the vulnerabilities that can occur in web application security. This vulnerability refers to a situation where an attacker gains access to an authenticated session by controlling the user's session identifier.

Points of Vulnerability

  • Pages that issue sessions

  • Pages that require a session (after authorization)

Vulnerability Verification Methods

  • If the issued session remains the same even after logging out and logging back in.

  • If the session before logging in and the session after logging in are the same.

  • If the session is not reissued (no "set cookie" in the response).

Attack Method

Attack Scenario

  1. The attacker logs in and creates a session identifier.

  2. The attacker forcefully delivers this session identifier to the user.

  3. The user logs in to the web application and starts a session.

  4. Since the session is already the same, the attacker can access the authenticated session by refreshing.

Attack Scenario Process

Detailed Explanation

  1. The attacker sends an authentication request to the web application.

  2. The web application generates a session identifier for authentication.

  3. The session identifier is delivered to the user and is used when starting a session.

  4. The attacker forcefully delivers a previously generated malicious session identifier to the user.

  5. When the user starts a session, they unknowingly use the malicious session identifier provided by the attacker.

  6. The web application performs authentication verification and considers the malicious session identifier as valid.

  7. The attacker gains access to the authenticated session using the malicious session identifier.


  1. Randomness of Session Identifiers: Session identifiers should be generated randomly and should be difficult to predict.

  2. Changing Session Identifiers: Session identifiers should be changed whenever a user is authenticated or gains authorization.

  3. Secure Session Management: Session identifiers should be securely stored. If using cookies, set the security attributes 'Secure' and 'HttpOnly' to ensure secure transmission and protection against client-side scripts.

  4. Session Monitoring and Logging: Monitor and log session activity in the system to detect and respond to suspicious activities.

Did you find this article valuable?

Support Han by becoming a sponsor. Any amount is appreciated!