What is Session Fixation?
An attack that forces a user to use a known session ID, allowing the attacker to hijack the session after the user authenticates.
Session fixation tricks you into authenticating with a session the attacker already knows.
How It Works
- Attacker creates a session on the target website
- Tricks the victim into using that session ID (via URL parameter, cookie injection, etc.)
- Victim logs in, authenticating the attacker's session
- Attacker now has an authenticated session
Prevention (Developers)
- Regenerate the session ID after successful authentication
- Don't accept session IDs from URL parameters
- Set proper cookie attributes (HttpOnly, Secure, SameSite)
Prevention (Users)
- Don't click login links from untrusted sources
- Verify you're on the correct domain before entering credentials
- Use a password manager (it won't auto-fill on the wrong domain)
Related Terms
Man-in-the-Middle Attack
An attack where the adversary secretly intercepts and potentially alters communications between two parties who believe they're communicating directly with each other. MITM attacks can capture credentials, inject malware, or modify data.
Session Hijacking
An attack where an attacker steals or predicts a valid session token to gain unauthorized access to a user's authenticated session. Once hijacked, the attacker can act as the legitimate user without knowing their password.
Have more questions?
Use our guided flow to get the right next privacy step for Session Fixation.
Open Guided Flow