Back to Glossary

Glossary Term

Session Fixation

Attackers set a session ID before login and hijack it once the victim authenticates.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Session Fixation

1-minute read

What it is

Session Fixation forces users to authenticate using session IDs controlled by attackers, often through crafted links or scripts.

Why it matters

Attackers can hijack authenticated sessions without knowing credentials because they already possess the valid session identifier.

How to reduce risk

Regenerate session IDs immediately after login and privilege changes
Secure cookies with HttpOnly, Secure, and SameSite flags
Invalidate sessions on logout and enforce strict expiration

Related Terms: Session Hijacking, Weak Authentication Configuration, Multi-Factor Authentication

External Resources:

OWASP – Session Fixation: https://owasp.org/www-community/attacks/Session_fixation