Session Lifecycle

Session Fixation

The login flow trusts the existing session ID across authentication, so an attacker who plants a session in the victim's browser can hijack the post-login session.

CWE-384
Back to hub Reload scenario
Fixation probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Login does not regenerate the session ID.
  • An attacker-planted cookie remains valid after the victim authenticates.
  • Session cookie has neither `Secure` nor `__Host-` prefix.
    • 
        

      


      

        
Primary Flows

        
      


      

        
Signals

        
        

          
Bug

          
// no req.session.regenerate() after auth

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.