Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-610
CWE-610
CWE-346
CWE-472
CWE-441
Consequences
Access Control: Gain Privileges or Assume Identity
Potential Mitigations
Phase: Architecture and Design
Description:
Invalidate any existing session identifiers prior to authorizing a new user session.
Phase: Architecture and Design
Description:
For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user’s browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don’t match, invalidate the session, and force the user to log on again.