Web Application Security Series: Session Fixation Attack Scenario

Joseph E. Ikhalia, PhD.
Apr 2 · 2 min read

A Session Fixation attack allows an attacker to hijack a valid user session. The attacker explores any identified weaknesses in the way a Web application manages users’ session IDs, more specifically the session management issues of a vulnerable Web application. In this short and sweet article, I demonstrate a Session Fixation attack scenario and draw some vital lessons. Enjoy reading!

A typical scenario of Session Fixation attack goes as follows;

  1. The attacker visits a Web application which has inadequate session management and gets a valid session token.
  2. The attacker prepares a link to the application which contains the session token and sends the link to the victim (e.g. through a phishing email or via instant messenger). Since the link is to a trusted website, the victim suspects nothing and clicks it.
  3. The victim logs into the vulnerable Web application using his/her credentials.
  4. The vulnerable Web application identifies the victim but does not issue a unique session ID.
  5. Thereafter, when the attacker visits the vulnerable Web application with the same session ID, he/she technically takes over the victim’s activity on the Application.
A Session Fixation Attack Scenario Process

Key Lessons:

  1. The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.
  2. Session fixation can be achieved remotely, which bypasses the hurdle of using a shared computer to complete the attack.
  3. To defend against session fixation, ensure your Web application developers code their applications so they assign a different session cookie immediately after a user authenticates to the application.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade