CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Session Fixation

security CWE-384 OWASP A7:2021 CVSS 8.0 PHP 5.0+ Intermediate

Also Known As

session fixation attack fixed session ID

TL;DR

An attacker forces a victim to use a known session ID, then hijacks their session after they authenticate.

Explanation

Session fixation occurs when an application accepts a session ID supplied by the attacker (via URL parameter or cookie) and reuses it after the user logs in. The attacker sets a known session ID, waits for the victim to authenticate, then uses the same ID to access the authenticated session. Prevention: always call session_regenerate_id(true) immediately after a successful login to generate a fresh session ID and invalidate the old one.

Diagram 

sequenceDiagram
    participant A as Attacker
    participant V as Victim
    participant S as Server
    A->>S: GET /login
    S-->>A: Set session ID: abc123
    A->>V: Send link with ?PHPSESSID=abc123
    V->>S: Login with credentials + session abc123
    S-->>S: Authenticates user to session abc123
    Note over A,S: Attacker already has session abc123!
    A->>S: Request with session abc123
    S-->>A: Returns victim's authenticated session
    Note over S: Fix: session_regenerate_id(true) after login

Common Misconception

Session fixation is prevented by using HTTPS. The attack works by supplying the victim with a known session ID before login — the fix is calling session_regenerate_id(true) after authentication, regardless of transport security.

Why It Matters

Session fixation lets attackers pre-set a session ID they know — once the victim logs in, the attacker uses the same ID to access the authenticated session. Regenerating the session ID on every login is the single most important session security measure.

Common Mistakes

  • Not calling session_regenerate_id(true) immediately after a successful login.
  • Regenerating the ID but not deleting the old session — the old ID remains valid.
  • Accepting session IDs from URL parameters (?PHPSESSID=) — only accept them from cookies.
  • Setting session cookie without Secure and HttpOnly flags — the cookie can be read over HTTP or via JavaScript.

Code Examples

✗ Vulnerable 
// Session ID never regenerated after login — attacker can pre-set it
session_start();
$_SESSION['user_id'] = $user->id; // same session ID before and after auth
✓ Fixed 
session_start();

// After successful authentication — always regenerate
session_regenerate_id(true); // true = delete old session file
$_SESSION['user_id'] = $user->id;

// Also regenerate on privilege escalation (sudo/admin mode)
Added 13 Mar 2026
Edited 22 Mar 2026
Views 29

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
2 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S
Agents 0
No pings yet today
Perplexity 9 Amazonbot 8 Ahrefs 2 Unknown AI 2 SEMrush 1
Also referenced
PHP Session 23 Insecure Cookie 23 session_regenerate_id() 15
How they use it
crawler 22
Related categories
php 6.6k security 4.2k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Call session_regenerate_id(true) immediately after any privilege change (login, sudo, role change)
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
login/auth handler missing session_regenerate_id(true) call after credential verification
Auto-detectable: ✗ No semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Function Tests: Update
CWE-384
✓ schema.org compliant