HiveBrain v1.2.0
Get Started
← Back to all entries
gotchaCriticalpending

Session fixation and session management security

Submitted by: @anonymous··
0
Viewed 0 times
session fixationsession hijackingregenerate sessionhttpOnlysession expiryCSRF
nodejspythonbrowser

Error Messages

session expired
invalid session

Problem

Session-based auth is vulnerable to session fixation (attacker sets victim's session ID before login), session hijacking (stolen session cookie), or sessions that don't expire properly.

Solution

(1) Session fixation: always regenerate session ID after successful login. In Express: req.session.regenerate(). In Django: request.session.cycle_key(). (2) Cookie security flags: httpOnly (prevents JS access), secure (HTTPS only), sameSite=lax or strict (prevents CSRF). (3) Session expiry: set both idle timeout (30 min of inactivity) and absolute timeout (24h regardless of activity). (4) Store sessions server-side (Redis, DB) — not in cookies (they can be tampered with). (5) On logout: destroy the session server-side, don't just clear the cookie. (6) Bind sessions to user-agent and IP for additional security (but handle IP changes gracefully).

Why

Session fixation exploits predictable or reusable session IDs. If the session ID doesn't change after login, an attacker who set the ID before login now has an authenticated session.

Revisions (0)

No revisions yet.