Session Fixation Attack on HTTP Cookies
High Nessus Plugin ID 45084
SynopsisThe remote web application is vulnerable to a session fixation attack.
DescriptionBy manipulating cookies through a vulnerability similar to cross-site scripting, an attacker can set the session cookies. The legitimate user will be logged out of the application and after he logs in again, the cookie will remain unchanged and the attacker will be able to steal the open session and impersonate the user.
Solution- Fix the application so that the session cookie is re-generated after a successful authentication.
- Fix the cookie manipulation flaws.