CWE-384 - Session Fixation


Absence of valid session identifier annulation before performing new user's session allows atackers to steal authenticated sessions.
It usually takes place when:
1. A web application continues to use a previous user's session for a new one.
2. An attacker imposes a known session on the user. As soon as the user authenticates, the malicious user access the system.
3. An attacker creates a new session and records the associated session identifier. Authenticating, the user apply that session identifier that allows offender to gain privileges and get access.
The weakness is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-384


Description of CWE-384 on Mitre website