保護DataHogo
Security Encyclopedia/Auth & Sessions (Advanced)
highCWE-384A07:2021

Session Fixation

The server reuses the same session ID before and after login, allowing an attacker who planted a known session ID to hijack the authenticated session.

How It Works

An attacker visits your site, gets a session ID, and tricks a victim into using that same ID (via a URL parameter or injected cookie). After the victim logs in, the session is now authenticated — and the attacker, who already knows the session ID, now has a valid authenticated session without any credentials.

Vulnerable Code
// BAD: same session ID used before and after login
async function login(req, res) {
  const user = await authenticate(req.body);
  // Session ID stays the same — attacker already knows it
  req.session.userId = user.id;
  res.redirect('/dashboard');
}
Secure Code
// GOOD: regenerate session ID on login
async function login(req, res) {
  const user = await authenticate(req.body);
  // Regenerate session to get a new ID the attacker doesn't know
  req.session.regenerate((err) => {
    req.session.userId = user.id;
    res.redirect('/dashboard');
  });
}

Real-World Example

Session fixation attacks are common on banking and e-commerce sites that accept session IDs via URL parameters (a legacy pattern). An attacker sends a phishing link containing their known session ID, and the victim unknowingly authenticates it.

How to Prevent It

  • Always regenerate the session ID immediately after a successful login
  • Never accept session IDs from URL parameters — use cookies only
  • Set short session timeouts and regenerate on privilege escalation
  • Use a well-maintained session library (express-session with proper configuration)

Affected Technologies

nodejsNext.jsPythonPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Account Lockout / Brute Force Protection

medium

Login endpoints with no rate limiting or lockout mechanism, allowing attackers to try unlimited username and password combinations until they find valid credentials.

CWE-307A07:2021

Weak Password Policy

medium

No minimum length, complexity, or common-password requirements on registration or password change, making user accounts easily brute-forced or guessed.

CWE-521A07:2021

OAuth State Parameter Missing

high

OAuth authorization flow implemented without a random `state` parameter, allowing CSRF attacks that link a victim's account to the attacker's OAuth identity.

CWE-352A07:2021

Token Not Invalidated on Logout

medium

JWT or session tokens remain valid after a user logs out because there is no server-side revocation mechanism, allowing stolen tokens to be used indefinitely.

CWE-613A07:2021