Fixed HTTP Session Cookies

Medium Nessus Plugin ID 46201


The remote web application is affected by a session fixation vulnerability.


The remote web application uses cookies to track authenticated users.
If the session cookie is already present before authentication, it remains unchanged after a successful login. A remote attacker can exploit this to hijack a valid user session.

Session cookies are expected to be unpredictable in a secure web application. If HTTP cookies can be manipulated (by injecting client- side JavaScript for example) then the attacker does not have to break the pseudo-random generator, and the web application is vulnerable to a 'session fixation' attack.


Fix the application so that the session cookie is re-generated after successful authentication.

See Also

Plugin Details

Severity: Medium

ID: 46201

File Name: fixed_session_cookies.nasl

Version: $Revision: 1.9 $

Type: remote

Family: Web Servers

Published: 2010/04/30

Modified: 2017/05/18

Dependencies: 11149, 44987

Risk Information

Risk Factor: Medium


Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P


Base Score: 5.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L