CWE-384 Session Fixation
What this means
SiteShadow flagged a session handling pattern where a user's session identifier may be reused or not regenerated at the right times (e.g., after login), allowing an attacker to "fix" a session ID and later hijack the authenticated session.
Why it matters
Attackers can force a victim to use a known session ID.
- Account takeover: attacker sets/knows the victim's session ID before login, then uses it after victim authenticates.
- Hard to detect: it often looks like a normal login from the attacker's perspective.
Safer examples
1) Regenerate session IDs on login and privilege changes
Rotate the session identifier after authentication and after role changes.
2) Use secure cookie attributes
Set HttpOnly, Secure, and a safe SameSite (see S02 / CWE-614).
3) Provide session revocation
Let users/admins revoke sessions and shorten session lifetimes (see TOK01).
How SiteShadow detects it (high level)
- Looks for login flows that set auth state without rotating session identifiers.
- Flags session frameworks/configs where regeneration/rotation is missing or disabled.
References
- CWE-384: https://cwe.mitre.org/data/definitions/384.html
---