Quiz Entry - updated: 2026.07.05
How does a Session Fixation attack work and how can you prevent it?
The attacker plants a session ID they already know (e.g. via a crafted login link), waits for the victim to authenticate it, then rides that now-logged-in session — the fix is to regenerate the session ID on login.
Attack Steps:
- Attacker establishes anonymous session (gets session ID)
- Attacker creates malicious link:
https://application.ch/login?sessionid=abcde - Victim clicks the link and logs in
- Attacker now uses the same session ID (victim authenticated it!)
Prevention:
- Regenerate session ID on successful login
- Never accept session IDs from URL parameters
- Bind session to user properties (IP, user-agent)
- Use short session timeouts
- Implement proper logout that invalidates server-side session
Go deeper:
OWASP — Session Fixation — attack flow; why fixation happens before login, motivating session-ID regeneration.