Most websites have numerous session related security issues. Today I am going to explain how to validate one of those issues. Session Fixation allows an attacker to impersonate a user by abusing or stealing a Session ID. Let’s get started on how to verify if your application is susceptible to this vulnerability.


Step #1: Browse to the website and view your cookies. You can use one of the tools mentioned in yesterday’s post to view the Session ID. The output should look similar to the below unauthenticated response. Depending on your application stack, it may be a PHPSESSID, ASPSESSIONID, or JSESSIONID that you are looking for. In this example we are inspecting the JSESSIONID value.

Unauthenticated Request:
GET /login.html HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Referer: domain.com
Content-Type: application/x-www-form-urlencoded

Unauthenticated Response:
HTTP/1.1 200 Found
Date: Wed, 9 Oct 2013 08:52:13 GMT
Server: Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t mod_jk/1.2.37
Set-Cookie: JSESSIONID=D2489035; Path=/; HttpOnly
Location: domain.com/login.html
Content-Length: 0
Content-Type: text/html


Step #2: Log into the application and inspect your cookies again. If you still have the same Session ID as you did while unauthenticated, you are susceptible to Session Fixation Vulnerabilities. If you have a different Session ID, then you are not vulnerable to this particular issue (although it is important to note that you may have other session related issues that you should still test for). In the below example, this web application is still susceptible to Session Fixation.

Logon Request:
POST /signin.html HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Referer: domain.com/login.html
Content-Type: application/x-www-form-urlencoded

user_login=admin&user_password=admin&submit=Sign+in&user_token=e1ad4744-329f-4eb4-ae58-65298847f6c3

Logon Response:
HTTP/1.1 302 Found
Date: Wed, 9 Oct 2013 08:51:37 GMT
Server: Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t mod_jk/1.2.37
Set-Cookie: JSESSIONID=D2489035; Path=/; HttpOnly
Location: domain.com/auth/security-check.html
Content-Length: 0
Content-Type: text/html


To mitigate Session Fixation, your application needs to provide a new and unique Session ID to an every authenticated user vs. a non-authenticated one. It also helps to provide the ‘secure‘ attribute in your cookie response to aid in session hijacking prevention.