Session Fixation

Session Fixation is a security vulnerability where a user sets the Session Identifier (SID) of a user to a known value, allowing them to access your session. This would allow the malicious user to access the user’s private information.

For Example:

Jason has determined that his neighbor Joe’s bank site is susceptible to a session fixation attack.  Jason then sends Joe an email with a link to his bank setting the SessionID to a value known to him  Joe trusting his neighbor clicks on the link and proceeds to sign-in to his account online. Jason now can use the link he sent Joe to access Joe’s account.


This attack can be avoided by changing the users SID when their permission level changes e.g: login.  What this would mean is that even if Joe click on the link sent by Jason once he logins to his account the site would generate a new SID for him that Jason would not know and he would not be able to get access to Joe’s account.

Psuedo code [PHP]:

public function authenticate() {
    // get user name
    $user_name = $_POST['user_name'];

    // get password
    $password = $_POST['password'];

    //validate the user
    if( validateUser( $user_name, $password ) ) {
        // regenerate the session id
        session_regenerate_id( true );
        return true;
    } else {
        return false;
// PHP // Security //

Comments & Questions

Add Your Comment