CWE-384: Session Fixation
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
潜在缓解措施
阶段: Architecture and Design
描述: Invalidate any existing session identifiers prior to authorizing a new user session.
阶段: Architecture and Design
描述: For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
阶段: Operation
策略: Firewall
描述: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
有效性: Moderate
观察示例
参考: CVE-2022-2820
Website software for game servers does not proprerly terminate user sessions, allowing for possible session fixation
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Session Fixation | - |
| OWASP Top Ten 2004 | A3 | Broken Authentication and Session Management | CWE More Specific |
| WASC | 37 | Session Fixation | - |
关键信息
CWE ID: CWE-384
抽象级别: Compound
结构: Composite
状态: Incomplete