Session Fixation

In a session fixation attack, an attacker issues (sets or fixats) a user SID before the user logs into the target server and force the users browser into using the attacker's session. This attack eliminates the need to hijack the users SID.

Session fixation using a cross-site scripting vulnerability


   1. Session setup
  • The attacker sets up a "trap session" on the target server, obtains a SID, maintains the SID by repeatedly sending requests referencing it to avoid idle session timeout.
   2. Session fixation
  • The attacker tries to transport the trap session ID to the users browser, thereby fixing his session. 
  • Cookies have been predominantly used to store SID because of their security in comparison to URL arguments and hidden form fields. However, at the same time cookies also provide the most convenient way to exploiting session fixation vulnerabilities.
  • According to RFC2965, a cookie can be set up only to allow access to either the issuing server or the issuing servers domain.
   3. Session entrance
  • Finally, the attacker will wait until the user logs in to the target server and use his seesion. After the user logins to the trap session and before he has logged out, the attacker then enter the trap session and assume the users identity.  


   Preventing session fixation attacks is the responsibility of the web application, not the underlying web server. 

  • Preventing logs in to a chosen session: Web applications must ignore any SID provided by the users browser at login but always generate a new session once the user is successfully authenticated.
  • Binding the session ID to the browsers network address or the users SSL client certificate.
  • Session destruction: Upon logging out or timeout, SID needs to be deleted not only on the browser but also on the server. logging out or timeout, must take place 
  • Absolute session timeouts: This will prevent attackers from maintaining a trap session and the already entered users session for a long period of time.
  • Session Fixation Vulnerability in ASP.NET