- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Session Fixation is an attack that forces a user’s session ID to a known value, permitting an attacker to hijack user sessions. After the user’s session ID has been fixed, the attacker waits for that user to login and uses the predefined session ID value to assume the same online identity.
The Session Fixation attack is similar to session hijacking, which steals the established session between the client and the web server after the user logs in. But the session fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in. Session Fixation provides a much wider window of opportunity than would be provided by stealing a user’s session ID after they have logged into an application.
Session Fixation is exploiting a limitation in the way a web application manages session IDs, specifically not assigning a new session ID with each session. The attack consists of obtaining a valid session ID (e.g., by connecting to the application), inducing a user to authenticate with that session ID, and then hijacking the user-validated session.