Introduction

Session fixation is an attack where an attacker sets a user's session ID to a known value before the user authenticates, allowing the attacker to hijack the session after login. Modern applications detect potential session fixation attacks by monitoring for session ID changes during authentication. When detected, the application invalidates the session and forces re-authentication to protect the user's account.

Symptoms

  • User is logged out immediately after logging in
  • Application redirects to login page with Session invalidated for security reasons
  • User can log in but is immediately logged out again on the next request
  • Security logs show Session fixation attempt detected for the user
  • Error message: Your session has been reset due to a security policy violation

Common Causes

  • Load balancer or reverse proxy changing the session cookie between requests
  • Application not regenerating the session ID after successful authentication
  • Shared session storage between HTTP and HTTPS causing session ID conflicts
  • Browser extension or plugin modifying the session cookie
  • Application deployed behind a proxy that does not properly forward session cookies

Step-by-Step Fix

  1. 1.Check the application's session fixation detection logs: Identify the trigger.
  2. 2.```bash
  3. 3.grep "session.fixation|Session fixation" /var/log/app/security.log | tail -20
  4. 4.# Check if the session ID changed between pre-auth and post-auth
  5. 5.`
  6. 6.Ensure the application regenerates session ID after login: Implement proper session management.
  7. 7.```java
  8. 8.// Java Spring Security - session fixation protection
  9. 9.@Configuration
  10. 10.public class SecurityConfig extends WebSecurityConfigurerAdapter {
  11. 11.@Override
  12. 12.protected void configure(HttpSecurity http) throws Exception {
  13. 13.http.sessionManagement()
  14. 14..sessionFixation().migrateSession(); // Create new session, copy attributes
  15. 15.}
  16. 16.}
  17. 17.`
  18. 18.Configure the load balancer to preserve session cookies: Ensure consistent session handling.
  19. 19.```nginx
  20. 20.# Nginx load balancer configuration
  21. 21.upstream backend {
  22. 22.server app1:8080;
  23. 23.server app2:8080;
  24. 24.# Use sticky sessions if needed
  25. 25.# ip_hash;
  26. 26.}
  27. 27.# Ensure cookies are forwarded correctly
  28. 28.proxy_set_header Cookie $http_cookie;
  29. 29.`
  30. 30.Verify cookie security attributes are set correctly: Prevent cookie manipulation.
  31. 31.`
  32. 32.# Set cookie attributes:
  33. 33.# Secure: true (HTTPS only)
  34. 34.# HttpOnly: true (not accessible via JavaScript)
  35. 35.# SameSite: Strict or Lax (CSRF protection)
  36. 36.# Path: / (consistent across the application)
  37. 37.`
  38. 38.Test the authentication flow after the fix: Verify sessions persist correctly.
  39. 39.```bash
  40. 40.# Login and verify session cookie changes
  41. 41.curl -c cookies.txt -d "username=user&password=pass" https://app.example.com/login
  42. 42.# Check the session cookie
  43. 43.cat cookies.txt | grep JSESSIONID
  44. 44.# Make a subsequent request and verify the same session is used
  45. 45.curl -b cookies.txt https://app.example.com/dashboard
  46. 46.`

Prevention

  • Always regenerate session IDs after successful authentication
  • Configure session fixation protection to migrateSession rather than none
  • Set Secure, HttpOnly, and SameSite attributes on all session cookies
  • Monitor session fixation detection events and investigate patterns
  • Test session management behind load balancers and reverse proxies
  • Implement session timeout and concurrent session limits as additional security layers