WHAT IS SESSION FIXATION ATTACK?
Session fixation and session hijacking are both attacks that attempt to gain access to a user’s client and web server session. In the session hijacking attack, the attacker attempts to steal the ID of a victim's session after the user logs in. In the session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. The session fixation attack “fixes” an established session on the victim's browser, so the attack starts before the user logs in.
Session fixation attacks are designed to exploit authentication and session management flaws. Any system that allows one person to fixate another person's session identifier is vulnerable to this type of attack. Most session fixation attacks are web-based, and most rely on session identifiers being accepted from URLs or POST data.
Some of the most common session fixation attack techniques include:
- Session token in the URL argument
- Session token in a hidden form field
- Session ID in a cookie