Session Fixation


Session fixation vulnerabilities occur when the application doesn't sufficiently protect session identifiers. This allows an attacker to hijack active user sessions.

Most web application platforms provide functionality that will handle session management in a reasonably secure manner. However, some programmers, especially new ones, write their own session management code that doesn't sufficiently protect session identifiers. Some common mistakes are including session identifiers in URLs or making session identifiers predictable. Including the session identifier in the URL allows an attacker to send a link that includes a session identifier of their choice to the victim user. If the victim user clicks on that link and then logs into the application, the attacker will be able to hijack the user's session by clicking on that same link after the user has authenticated.

Session fixation vulnerabilities affect web applications.


Session fixation vulnerabilities allow attackers to perform actions on behalf of the application's users. The exact actions that the attacker can perform depend on what is made available by the application. One possible scenario would involve the attacker being able to assign themselves a session identifier of an administrative user. If that administrative user can modify content on the site or upload files, the attacker will be able to upload backdoor code that will allow them to execute arbitrary code with the privileges of the application. At that point, the attacker will have full control of the application and its assets, including all user data. The attacker might then leverage additional exploits to elevate their privileges on the compromised server.


To prevent session fixation vulnerabilities, use platform provided session management.

Application Check

To check for adequate protection against session fixation vulnerabilities, verify that platform provided session management is used.

Computer Based Training Links

Use the following Computer Based Training courses for more background information about this type of vulnerabilities.

Creating Secure J2EE Code

This course introduces and explains the precautionary measures you can use to avoid Web software security vulnerabilities, such as data leakage attacks, client/server protocol manipulation, injection attacks, and exploiting authentication. At the end of this course, you will have learned about time-tested defensive coding principles and how to use them to increase the security of your application, and prevent common security vulnerabilities.

COD 313 Creating Secure J2EE Code

Creating Secure Code - JRE Foundations

In this course, you will learn to recognize and remediate common Java Web software security vulnerabilities. This course has three modules, which introduce you to these vulnerabilities and help you to identify and remediate them.

COD 211 Creating Secure Code - JRE Foundations

Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact for help.

!Have a comment about this article? Send our team an email.