CWE-384 Compound Incomplete

Session Fixation

Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker who knows that session identifier to hijack the user's…

Definition

What is CWE-384?

Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker who knows that session identifier to hijack the user's authenticated session.
This vulnerability typically happens in three scenarios: when an app authenticates a user while keeping their old session active, when an attacker can force a user to use a known session identifier, or when the application uses predictable session IDs that are easy to guess. Essentially, the system fails to issue a fresh, secure session token upon login, leaving the door open for session theft. In a common attack, the attacker first creates a session on the target application and notes its identifier. They then trick or redirect the victim into using that same session ID, often before the victim logs in. Once the victim authenticates, the attacker can use the known identifier to access the now-privileged session, effectively taking over the user's account without needing their credentials.
Real-world impact

Real-world CVEs caused by CWE-384

  • CVE-2022-2820

    Website software for game servers does not proprerly terminate user sessions, allowing for possible session fixation

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().

  2. 2

    In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page. Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application. The code responsible for authenticating the victim continues to use the pre-existing session identifier, now the attacker simply uses the session identifier recorded earlier to access the victim's active session, providing nearly unrestricted access to the victim's account for the lifetime of the session. Even given a vulnerable application, the success of the specific attack described here is dependent on several factors working in the favor of the attacker: access to an unmonitored public terminal, the ability to keep the compromised session active and a victim interested in logging into the vulnerable application on the public terminal.

  3. 3

    In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular. The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above. The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker.

  4. 4

    In the example above, the attacker did this through a direct method that is not subtle and does not scale suitably for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique employed by attackers involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [12]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that will cause the victim to reuse a session identifier controlled by the attacker. It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as bank.example.com and recipes.example.com, a vulnerability in one application can allow an attacker to set a cookie with a fixed session identifier that will be used in all interactions with any application on the domain example.com [29].

  5. 5

    The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the j_security_check, which typically does not invalidate the existing session before processing the login request.

Vulnerable code example

Vulnerable Java

The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().

Vulnerable Java 
private void auth(LoginContext lc, HttpSession session) throws LoginException {
  	...
  	lc.login();
  	...
  }
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-384

  • Architecture and Design Invalidate any existing session identifiers prior to authorizing a new user session.
  • Architecture and Design For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
  • Operation Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Detection signals

How to detect CWE-384

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-384 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-384?

Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker who knows that session identifier to hijack the user's authenticated session.

How serious is CWE-384?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-384?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-384?

Invalidate any existing session identifiers prior to authorizing a new user session. For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

How does Plexicus detect and fix CWE-384?

Plexicus's SAST engine matches the data-flow signature for CWE-384 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-384?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/384.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-384

CWE-610 Parent

Externally Controlled Reference to a Resource in Another Sphere

This vulnerability occurs when an application uses user-supplied input to reference a resource located outside its intended security…

CWE-1021 Sibling

Improper Restriction of Rendered UI Layers or Frames

This vulnerability occurs when a web application fails to properly control whether its pages can be embedded within frames or UI layers…

CWE-15 Sibling

External Control of System or Configuration Setting

This vulnerability occurs when an application allows users to directly modify critical system settings or configuration values from an…

CWE-441 Sibling

Unintended Proxy or Intermediary ('Confused Deputy')

A confused deputy vulnerability occurs when a system receives a request from a client and forwards it to an external destination without…

CWE-470 Sibling

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide…

CWE-601 Sibling

URL Redirection to Untrusted Site ('Open Redirect')

An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect,…

CWE-611 Sibling

Improper Restriction of XML External Entity Reference

This vulnerability occurs when an application processes XML input without properly restricting external entity references. Attackers can…

CWE-73 Sibling

External Control of File Name or Path

This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations.

CWE-918 Sibling

Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) occurs when a web application fetches a remote resource based on user-controlled input, but fails to…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.