Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

CWE-384 (会话固定) — Vulnerability Class 156

156 vulnerabilities classified as CWE-384 (会话固定). AI Chinese analysis included.

CWE-384, Session Fixation, is an authentication weakness where an application fails to invalidate existing session identifiers upon user login. This flaw allows attackers to predict or fix a victim’s session ID before authentication occurs. Typically, an attacker tricks a user into accessing a malicious link containing the attacker’s known session ID. When the victim logs in, the server associates the authenticated session with that pre-existing ID, granting the attacker immediate access to the victim’s account without needing credentials. To prevent this, developers must generate a new, random session identifier immediately after successful authentication. Additionally, implementing secure session management practices, such as regenerating IDs after privilege changes and using secure, HTTP-only cookies, ensures that stolen session tokens remain useless to attackers, effectively mitigating the risk of session hijacking.

MITRE CWE Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Such a scenario is commonly observed when: A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and DesignInvalidate any existing session identifiers prior to authorizing a new user session.
Architecture and DesignFor platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
OperationUse an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Effectiveness: Moderate
Examples (2)
The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().
private void auth(LoginContext lc, HttpSession session) throws LoginException { ... lc.login(); ... }
Bad · Java
The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request.
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> </form>
Bad · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2016-8609 Red Hat keycloak 授权问题漏洞 — keycloak 8.8 -2018-08-01
CVE-2018-5385 Navarino Infinity web interface up to version 2.2 is prone to session fixation attacks — Infinity 8.8 -2018-07-24
CVE-2018-0359 Cisco Meeting Server 安全漏洞 — Cisco Meeting Server unknown 4.0 -2018-06-21
CVE-2018-0229 多款Cisco产品AnyConnect Secure Mobility Client、Adaptive Security ApplianceSoftware和Firepower Threat Defense Software 安全漏洞 — Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client 8.1 -2018-04-19
CVE-2018-5465 多款Belden产品安全漏洞 — Hirschmann Automation and Control GmbH Classic Platform Switches 8.8 -2018-03-06
CVE-2016-9125 Revive Adserver 安全漏洞 — Revive Adserver All versions before 3.2.3 9.8 -2017-03-28

Vulnerabilities classified as CWE-384 (会话固定) represent 156 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.