Invalidating any existing session
In most circumstances, the first two challenges are surmountable given a sufficient investment of time.Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular.In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page.Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application.The table(s) below shows the weaknesses and high level categories that are related to this weakness.These relationships are defined as Child Of, Parent Of, Member Of and give insight to similar items that may exist at higher and lower levels of abstraction.If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.This Member Of Relationships table shows additional CWE Categories and Views that reference this weakness as a member.
The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness.
The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above.
The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker.
Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention.
More general than a Variant weakness, but more specific than a Class weakness.