Session fixation is an attack in which an attacker forces or predicts a session identifier and then waits for the victim to authenticate under that same session. It matters because a session is unsafe if the authenticated state can attach to an identifier the attacker already knows.
What is Session Fixation?
In a session fixation scenario, the attacker gets the victim to use a chosen session identifier before login. If the application does not regenerate the session properly after authentication, the attacker may later reuse the same identifier to hijack the now-authenticated session.
What Session Fixation Commonly Supports
Common defenses include regenerating session identifiers after login, rejecting user-supplied session IDs, and applying stronger session lifecycle controls.
Session Fixation vs. Session Hijacking
Session fixation sets up a known session identifier before authentication. Session hijacking typically steals or reuses an already active authenticated session later.
Frequently Asked Questions
Why is session fixation dangerous?
Because the attacker may not need to steal the session after login if they already forced the victim onto a known one.
How do teams prevent it?
By regenerating session identifiers after authentication and tightening session creation and binding logic.
