Session Fixation Attack
Protecting Users from Session Fixation Exploits
Prevent Session Fixation AttacksTable of Contents
WHAT IS SESSION FIXATION ATTACK?
Session fixation and session hijacking are both attacks that attempt to gain access to a user’s client and web server session. In the session hijacking attack, the attacker attempts to steal the ID of a victim's session after the user logs in. In the session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. The session fixation attack “fixes” an established session on the victim's browser, so the attack starts before the user logs in.
Session fixation attacks are designed to exploit authentication and session management flaws. Any system that allows one person to fixate another person's session identifier is vulnerable to this type of attack. Most session fixation attacks are web-based, and most rely on session identifiers being accepted from URLs or POST data.
Some of the most common session fixation attack techniques include:
- Session token in the URL argument
- Session token in a hidden form field
- Session ID in a cookie
Contrast is the clear customers’ choice
Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.
Built for Developers. Trusted by Security.
Learn Secure Code
CROSS SITE SCRIPTING (XSS)
Learn about Cross site scripting (XSS) and how it affects your Java source code
SQL INJECTION
Learn about SWL injection and how it affects your Java source code
CLIENT SIDE INJECTION
Learn about client-side injection and how it can affect your source code