gotchaCriticalpending
Session fixation and session management security
Viewed 0 times
session fixationsession hijackingregenerate sessionhttpOnlysession expiryCSRF
nodejspythonbrowser
Error Messages
Problem
Session-based auth is vulnerable to session fixation (attacker sets victim's session ID before login), session hijacking (stolen session cookie), or sessions that don't expire properly.
Solution
(1) Session fixation: always regenerate session ID after successful login. In Express: req.session.regenerate(). In Django: request.session.cycle_key(). (2) Cookie security flags: httpOnly (prevents JS access), secure (HTTPS only), sameSite=lax or strict (prevents CSRF). (3) Session expiry: set both idle timeout (30 min of inactivity) and absolute timeout (24h regardless of activity). (4) Store sessions server-side (Redis, DB) — not in cookies (they can be tampered with). (5) On logout: destroy the session server-side, don't just clear the cookie. (6) Bind sessions to user-agent and IP for additional security (but handle IP changes gracefully).
Why
Session fixation exploits predictable or reusable session IDs. If the session ID doesn't change after login, an attacker who set the ID before login now has an authenticated session.
Revisions (0)
No revisions yet.