A very popular attack that targets sessions is session fixation. The primary reason behind its popularity is that it’s the easiest method by which an attacker can obtain a valid session identifier. As such, its intended use is as a stepping-stone to a session hijacking attack, impersonating a user by presenting the user’s session identifier.
Session fixation is any approach that causes a victim to use a session identifier chosen by an attacker. The simplest example is a link with an embedded session identifier:
A victim who clicks this link will resume the session identified as
1234, and if the victim proceeds to log
in, the attacker can hijack the victim’s session to escalate his level of
There are a few variants of this attack, including some that use
cookies for this same purpose. Luckily, the safeguard is simple,
straightforward, and consistent. Whenever there is a change in the level of privilege, such as when a
user logs in, regenerate the session identifier with
This effectively prevents session fixation attacks by ensuring that any user who logs in (or otherwise escalates the privilege level in any way) is assigned a fresh, random session identifier.