Skip to content

Session Fixation Attack

Protecting Users from Session Fixation Exploits

Prevent Session Fixation Attacks
Table of Contents

What is session fixation attack?

Session fixation and session hijacking are both attacks that attempt to gain access to a user’s client and web server session. In the session hijacking attack, the attacker attempts to steal the ID of a victim's session after the user logs in. In the session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. The session fixation attack “fixes” an established session on the victim's browser, so the attack starts before the user logs in.

Session fixation attacks are designed to exploit authentication and session management flaws. Any system that allows one person to fixate another person's session identifier is vulnerable to this type of attack. Most session fixation attacks are web-based, and most rely on session identifiers being accepted from URLs or POST data.

Some of the most common session fixation attack techniques include:

  • Session token in the URL argument
  • Session token in a hidden form field
  • Session ID in a cookie


Learn More About Contrast Security

Contrast is the clear customers’ choice

Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.


Built for Developers. Trusted by Security.


Learn Secure Code

Cross Site Scripting (XSS)


Learn about Cross site scripting (XSS) and how it affects your Java source code

SQL Injection - Java-1


Learn about SWL injection and how it affects your Java source code

Client Side Injection


Learn about client-side injection and how it can affect your source code