Severity: Low to Medium
Session fixation occurs when an attacker is able to control the session identifier in use by a user when authenticating. Once the user has authenticated, the attacker has a valid session identifier for that user’s account.
An attacker performing a session fixation attack may be able to take complete control over a user account via their session identifier. This grants full access without any need for credential compromise.
When a user logs in to or out of an application, they should receive a brand new session identifier. This prevents session fixation attacks, as well as a few other less common attacks. Additionally, session identifiers should never be passed in or used from query strings; this prevents session leakage and assists in preventing session fixation.