# Session fixation

## Session Fixation <a href="#session-fixation" id="session-fixation"></a>

Session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate another person’s session identifier.

### Exploitation <a href="#exploitation" id="exploitation"></a>

#### 1. Attacker Logins Website to Get the Session <a href="#id-1-attacker-logins-website-to-get-the-session" id="id-1-attacker-logins-website-to-get-the-session"></a>

An attacker need to login to a legitimate website then get the session value.

```shellscript
Cookie: sessid=abcdef
```

#### 2. Attacker Sends the Session Value to Victim <a href="#id-2-attacker-sends-the-session-value-to-victim" id="id-2-attacker-sends-the-session-value-to-victim"></a>

There are various way to send the attacker’s session value. For example,

* Send email.
* Predict a session value.
* Eavesdrop a session using packet sniffer such as Wireshark.
* XSS

  ```shellscript
  <script>document.cookie = ATTACKERS_SESSION_ID</script>
  ```

#### 3. Victim Logins with Attacker’s Session <a href="#id-3-victim-logins-with-attackers-session" id="id-3-victim-logins-with-attackers-session"></a>

If the victim logins and attacker’s session is set to the Cookie, the attacker can control the victim’s account in the website.

### References <a href="#references" id="references"></a>

* [OWASP](https://owasp.org/www-community/attacks/Session_fixation)

{% hint style="info" %}
**Steps to reproduce**

1. Open example.com/login.
2. Open browser devtools.
3. Get value for `SESSION` cookie.
4. Open example.com/login in the incognito tab.
5. In the incognito tab, change cookie value to the one, obtained in step 3.
6. In the normal tab (the one from steps 1-3) log in as any user.
7. Refresh page in the incognito tab.

**Result**

You are now logged in the incognito tab as user from step 6 as well.
{% endhint %}