280 – Session Fixation

Description

The cookie session doesn't change after a valid login which allow an attacker to hijack the user session by setting the user cookie for one known by the attacker.

Impact

Hijack a valid user session.

Recommendation

Invalidate the anonymous cookie and create a new one after a successful login.

Threat

Anonymous attacker from Internet.

Expected Remediation Time

120 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 030 - Avoid object reutilization

Fixes

• Csharp
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/18