CWE•Compound•Incomplete•20 recent CVEs
CWE-384Session Fixation
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
[object Object]
Common consequences
- Access Control→Gain Privileges or Assume Identity
Potential mitigations
- Architecture and DesignInvalidate any existing session identifiers prior to authorizing a new user session.
- Architecture and DesignFor platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
- OperationUse an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Related CWEs
Recent CVEs classified under this CWE
CVE-2009-100072026-06-09CVE-2026-418394.22026-06-09CVE-2026-113356.32026-06-05CVE-2025-674469.82026-06-04CVE-2026-333842026-05-29CVE-2026-485456.82026-05-27CVE-2026-438272026-05-25CVE-2026-457736.52026-05-15CVE-2026-416138.82026-05-12CVE-2026-308088.12026-05-12CVE-2025-654155.42026-05-11CVE-2026-400109.12026-05-06CVE-2025-466056.22026-04-17CVE-2026-344543.52026-04-14CVE-2026-319407.52026-04-10CVE-2025-709734.82026-03-09CVE-2026-243529.82026-02-27CVE-2026-21777.32026-02-08CVE-2025-70145.72026-01-29CVE-2025-70155.72026-01-29