Session Fixation Attack on HTTP Cookies

High Nessus Plugin ID 45084


The remote web application is vulnerable to a session fixation attack.


By manipulating cookies through a vulnerability similar to cross-site scripting, an attacker can set the session cookies. The legitimate user will be logged out of the application and after he logs in again, the cookie will remain unchanged and the attacker will be able to steal the open session and impersonate the user.


- Fix the application so that the session cookie is re-generated after a successful authentication.

- Fix the cookie manipulation flaws.

See Also

Plugin Details

Severity: High

ID: 45084

File Name: http_session_fixation.nasl

Version: $Revision: 1.15 $

Type: remote

Family: Web Servers

Published: 2010/03/17

Modified: 2017/05/16

Dependencies: 44135, 46201, 44987, 44136, 11149, 39468

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Reference Information

CWE: 287, 384, 718, 724, 812, 928, 930, 935