Session Fixation is an attack that allows a malicious actor to hijack a valid user session by forcing that user to use a fixed session ID.
This technique abuses vulnerable web applications' behaviour to not assign a new session ID when authenticating a user, reusing the ID which is already set in the browser.
Once the victim has logged in, the attacker can set for its own session the same token used by the victim to hijacking the session gaining access to the victim account and information.
What is an example of session related vulnerability?
In order to exploit this vulnerability, an attacker needs to provide and inject a valid session ID in the victim browser. To do so, he/she has to rely on other flaws in the application, such as session tokens in URL or in hidden form fields, session tokens in a non secured cookie which can be manipulated by a malicious actor by an existing XSS, for example.
Session fixation vs session hijacking
The main difference between session fixation and session hijacking is the way that attackers obtain the session ID and when the exploitation happens.
In session fixation, as previously said, the victim receives and uses a premade session ID, that the attacker can reuse, even before a successful login.
On the other hand, in session hijacking, the attacker is just able to obtain the session ID set by the server after the user login.
What is session fixation protection?
There is no real or specific protection against session fixation attacks. The only way to mitigate them is coding web applications better and correctly, paying attention to the session refresh after the authentication, which will not stop the attackers from injecting their premade session IDs, but definitely make those tokens ineffective after the authentication.
If you like this blog post, find more content in our Glossary.