CWE - CWE-384: Session Fixation (4.19.1)
Home > CWE List > CWE-384: Session Fixation (4.19.1)  
ID
  • Home
  • Who We Are User Stories History Documents Videos
  • Basics
    Root Cause Mapping   ►
    Guidance Quick Tips Examples
    How to Contribute Weakness Content FAQs Glossary
  • Top-N Lists   ►
    Top 25 Software Top Hardware Top 10 KEV Weaknesses
    CWE List   ►
    Current Version Reports Visualizations Releases Archive
    Downloads REST API
  • News   ►
    Current News Blog Podcast News Archive
    CWE Board Working Groups & Special Interest Groups Email Lists
  • Search CWE List Search Website

    CWE-384: Session Fixation

    Weakness ID: 384 (Structure: Composite) Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability.
    Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
    View customized information:
    For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.
    ×

    Edit Custom Filter


    + Description
    Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
    + Extended Description

    Such a scenario is commonly observed when:

    • A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.
    • An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
    • The application or container uses predictable session identifiers.

    In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.

    + Common Consequences
    Section HelpThis table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
    Impact Details

    Gain Privileges or Assume Identity

    		Scope: Access Control

    + Potential Mitigations
    Phase(s) Mitigation

    Architecture and Design
    Invalidate any existing session identifiers prior to authorizing a new user session.

    Architecture and Design
    For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

    Operation

    Strategy: Firewall

    Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

    Effectiveness: Moderate

    Note: An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.
    + Composite Components
    Nature Type ID Name
    Requires ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 346 Origin Validation Error
    Requires ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 441 Unintended Proxy or Intermediary ('Confused Deputy')
    Requires BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 472 External Control of Assumed-Immutable Web Parameter
    + Relationships
    Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
    + Relevant to the view "Research Concepts" (View-1000)
    Nature Type ID Name
    ChildOf Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 610 Externally Controlled Reference to a Resource in Another Sphere
    CanFollow Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 340 Generation of Predictable Numbers or Identifiers
    + Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)
    Nature Type ID Name
    ChildOf Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 610 Externally Controlled Reference to a Resource in Another Sphere
    + Relevant to the view "Architectural Concepts" (View-1008)
    Nature Type ID Name
    MemberOf Category Category - a CWE entry that contains a set of other entries that share a common characteristic. 1018 Manage User Sessions
    + Modes Of Introduction
    Section HelpThe different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
    Phase Note
    Architecture and Design
    Implementation
    + Applicable Platforms
    Section HelpThis listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
    Languages

    Class: Not Language-Specific (Undetermined Prevalence)

    Technologies

    Class: Web Based (Undetermined Prevalence)

    Web Server (Undetermined Prevalence)

    + Demonstrative Examples

    Example 1


    The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().

    (bad code)
    Example Language: Java 
    private void auth(LoginContext lc, HttpSession session) throws LoginException {
    ...
    lc.login();
    ...
    }

    In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page. Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application. The code responsible for authenticating the victim continues to use the pre-existing session identifier, now the attacker simply uses the session identifier recorded earlier to access the victim's active session, providing nearly unrestricted access to the victim's account for the lifetime of the session. Even given a vulnerable application, the success of the specific attack described here is dependent on several factors working in the favor of the attacker: access to an unmonitored public terminal, the ability to keep the compromised session active and a victim interested in logging into the vulnerable application on the public terminal.

    In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular. The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above. The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker.

    In the example above, the attacker did this through a direct method that is not subtle and does not scale suitably for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique employed by attackers involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [12]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that will cause the victim to reuse a session identifier controlled by the attacker. It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as bank.example.com and recipes.example.com, a vulnerability in one application can allow an attacker to set a cookie with a fixed session identifier that will be used in all interactions with any application on the domain example.com [29].



    Example 2


    The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the <code>j_security_check</code>, which typically does not invalidate the existing session before processing the login request.

    (bad code)
    Example Language: HTML 
    <form method="POST" action="j_security_check">
    <input type="text" name="j_username">
    <input type="text" name="j_password">
    </form>


    + Selected Observed Examples

    Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

    Reference Description
    Website software for game servers does not proprerly terminate user sessions, allowing for possible session fixation
    + Weakness Ordinalities
    Ordinality Description
    Primary
    (where the weakness exists independent of other weaknesses)
    Resultant
    (where the weakness is typically related to the presence of some other weaknesses)
    + Memberships
    Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
    Nature Type ID Name
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 361 7PK - Time and State
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 930 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1028 OWASP Top Ten 2017 Category A2 - Broken Authentication
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1353 OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1364 ICS Communications: Zone Boundary Failures
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1366 ICS Communications: Frail Security in Protocols
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1396 Comprehensive Categorization: Access Control
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1442 OWASP Top Ten 2025 Category A07:2025 - Authentication Failures
    + Vulnerability Mapping Notes
    Usage ALLOWED
    (this CWE ID may be used to map to real-world vulnerabilities)
    Reason Other

    Rationale

    		This is a well-known Composite of multiple weaknesses that must all occur simultaneously, although it is attack-oriented in nature.

    Comments

    		While attack-oriented composites are supported in CWE, they have not been a focus of research. There is a chance that future research or CWE scope clarifications will change or deprecate them. Perform root-cause analysis to determine which weaknesses allow session fixation to occur, and map to those weaknesses. For example, predictable session identifiers might enable session fixation attacks to succeed; if this occurs, they might be better characterized as randomness/predictability weaknesses.
    + Notes

    Other

    Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.
    + Taxonomy Mappings
    Mapped Taxonomy Name Node ID Fit Mapped Node Name
    7 Pernicious Kingdoms Session Fixation
    OWASP Top Ten 2004 A3 CWE More Specific Broken Authentication and Session Management
    WASC 37 Session Fixation
    + References
    [REF-6] Katrina Tsipenyuk, Brian Chess and Gary McGraw. "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors". NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07.
    <https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf>.
    [REF-1481] D3FEND. "D3FEND: Application Layer Firewall".
    <https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/>. (URL validated: 2025-09-06)
    + Content History
    + Submissions
    Submission Date Submitter Organization
    2006-07-19
    (CWE Draft 3, 2006-07-19)     		7 Pernicious Kingdoms
    + Modifications
    Modification Date Modifier Organization
    2025-12-11
    (CWE 4.19, 2025-12-11)     		CWE Content Team MITRE
    updated Applicable_Platforms, Relationships, Weakness_Ordinalities
    2025-09-09
    (CWE 4.18, 2025-09-09)     		CWE Content Team MITRE
    updated Potential_Mitigations, References
    2024-07-16
    (CWE 4.15, 2024-07-16)     		CWE Content Team MITRE
    updated Relationships
    2023-10-26 CWE Content Team MITRE
    updated Observed_Examples
    2023-06-29 CWE Content Team MITRE
    updated Mapping_Notes, Relationships
    2023-04-27 CWE Content Team MITRE
    updated Relationships
    2021-10-28 CWE Content Team MITRE
    updated Relationships
    2020-06-25 CWE Content Team MITRE
    updated Description
    2020-02-24 CWE Content Team MITRE
    updated References, Relationships
    2019-06-20 CWE Content Team MITRE
    updated Relationships
    2018-03-27 CWE Content Team MITRE
    updated Relationships
    2017-11-08 CWE Content Team MITRE
    updated Applicable_Platforms, Modes_of_Introduction, Relationships
    2015-12-07 CWE Content Team MITRE
    updated Relationships
    2013-07-17 CWE Content Team MITRE
    updated Relationships
    2012-10-30 CWE Content Team MITRE
    updated Potential_Mitigations
    2011-06-01 CWE Content Team MITRE
    updated Common_Consequences
    2010-02-16 CWE Content Team MITRE
    updated Taxonomy_Mappings
    2009-07-27 CWE Content Team MITRE
    updated Demonstrative_Examples, Related_Attack_Patterns
    2008-09-08 CWE Content Team MITRE
    updated Description, Relationships, Other_Notes, Taxonomy_Mappings
    2008-08-15 Veracode
    Suggested OWASP Top Ten 2004 mapping
    2008-07-01 Eric Dalci Cigital
    updated Time_of_Introduction
    Page Last Updated: January 21, 2026