Question 1

What is session fixation?

Accepted Answer

Session fixation is an attack where the attacker sets a known session identifier for a victim before they authenticate. Once the victim logs in using the fixed session ID, the attacker can use that same ID to access the authenticated session, effectively hijacking the user's account without stealing credentials.

Question 2

How do I prevent session fixation?

Accepted Answer

Always regenerate the session ID after successful authentication. Reject session IDs that were not generated by the server, set session cookies with Secure, HttpOnly, and SameSite attributes, implement session timeouts, bind sessions to additional client properties like IP address or user agent, and invalidate sessions on logout.

Session Fixation

Challenges

Frequently Asked Questions