Read Time:44 Second

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-610
CWE-610
CWE-346
CWE-472
CWE-441

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Invalidate any existing session identifiers prior to authorizing a new user session.

Phase: Architecture and Design

Description: 

For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user’s browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don’t match, invalidate the session, and force the user to log on again.

CVE References