CWE-384: Session Fixation

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application failed to regenerate session IDs after authentication, allowing session fixation attacks. Evidence includes the same session ID persisting before and after login, acceptance of attacker-supplied session IDs, or lack of session rotation on privilege escalation. The scanner logs in with a pre-set session ID and observes that it remains valid post-authentication.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-384 typically indicate that the application:

• Accepted a session identifier before authentication
• Did not issue a new session identifier after successful login
• Continued using the same session ID across a privilege boundary

Evidence is based on observing that a pre-authentication session remains valid after login, not on specific request parameters or payloads.

Mapping DAST Findings to Source Code

CWE-384 does not map to a single vulnerable parameter.
The issue resides in session lifecycle handling across authentication events.

When tracing this issue in code, look for:

• Session creation prior to authentication
• Missing session ID regeneration after login
• Acceptance of externally supplied session identifiers
• Session cookies not invalidated or replaced on privilege change
• Authentication logic that binds user identity to an existing session

Remediation

Core Principle: Never allow a session identifier established prior to authentication to remain valid after authentication; session identifiers must be regenerated whenever a user’s authentication or privilege level changes.

→ For comprehensive remediation guidance, see Static CWE-384 Guidance

Verification and Follow-Up Testing

After applying the fix:

1. Reproduce the Original Behavior

• Establish a session prior to authentication
• Authenticate using that session
• Observe whether the session identifier previously remained unchanged

Verify the Fix

• Confirm a new session identifier is issued after successful login
• Verify the pre-authentication session is invalidated
• Ensure externally supplied session identifiers are ignored

Test Edge Cases

• Session fixation attempts via cookies, URLs, or request parameters
• Reuse of old session IDs after logout/login
• Authentication flows other than primary login (SSO, refresh, step-up auth)

Re-run DAST Scanner

Re-run the dynamic scanner to confirm session fixation behavior is no longer observed.

Additional Resources

• CWE-384: Session Fixation
• OWASP Session Fixation
• OWASP Testing for Session Fixation
• OWASP Top 10 2025
• OWASP Top 10 2025 A07: Authentication Failures