SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-384 Session Fixation

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged a session handling pattern where a user's session identifier may be reused or not regenerated at the right times (e.g., after login), allowing an attacker to "fix" a session ID and later hijack the authenticated session.

Why it matters

Attackers can force a victim to use a known session ID.

Safer examples

1) Regenerate session IDs on login and privilege changes

Rotate the session identifier after authentication and after role changes.

2) Use secure cookie attributes

Set HttpOnly, Secure, and a safe SameSite (see S02 / CWE-614).

3) Provide session revocation

Let users/admins revoke sessions and shorten session lifetimes (see TOK01).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.