Session Fixation in APIs

Session fixation is a web application vulnerability where an attacker sets a user's session identifier before authentication, then tricks the user into using that predetermined session. After the user authenticates, the attacker gains access to the authenticated session using the same session ID.

In API contexts, session fixation occurs when an API accepts session identifiers from unauthenticated requests and maintains them across authentication. The attacker provides a session token (often via URL parameter, cookie, or HTTP header), the user authenticates using that token, and the attacker subsequently uses the same token to access the authenticated session.

The vulnerability stems from APIs that:

• Accept session identifiers before authentication
• Maintain the same session ID across authentication
• Don't regenerate session tokens upon privilege elevation
• Allow session fixation through predictable or guessable session IDs

Unlike session hijacking (where attackers steal an existing session), fixation involves the attacker setting the session identifier before the legitimate user even authenticates.

Session fixation in APIs enables attackers to bypass authentication entirely by controlling the session lifecycle. Common attack scenarios include:

• Pre-authentication fixation: Attacker generates a session ID, tricks user into authenticating with it, then uses the same ID to access the user's account
• Cross-site fixation: Attacker embeds a session token in a malicious link or iframe that the user clicks
• API endpoint fixation: Public API endpoints that accept session tokens without authentication allow attackers to set session IDs

Real-world impact includes:

• Account takeover without needing to steal credentials
• Persistent access to user accounts even after password changes
• Bypassing multi-factor authentication if session fixation occurs after initial 2FA
• Access to sensitive API endpoints and data

APIs using JWT tokens improperly can also be vulnerable if they accept tokens from unauthenticated requests and don't properly validate token integrity or expiration.

Detecting session fixation requires examining both the session management implementation and runtime behavior. Key detection methods include:

• Session ID persistence: Verify that session IDs remain unchanged before and after authentication
• Token acceptance analysis: Check if the API accepts session identifiers from unauthenticated endpoints
• Session regeneration testing: Test whether new session IDs are generated after authentication
• Predictable ID patterns: Look for sequential or guessable session ID generation

middleBrick detects session fixation by:

• Scanning unauthenticated endpoints for session identifier acceptance
• Testing session ID persistence across authentication flows
• Analyzing session token generation patterns for predictability
• Checking for improper session handling in OpenAPI specifications
• Verifying that authentication doesn't maintain pre-existing session state

The scanner tests multiple session fixation vectors including URL parameters, cookies, and custom headers to identify vulnerable session management patterns.

Preventing session fixation requires proper session management throughout the authentication lifecycle. Key remediation strategies:

Session Regeneration

// Before authentication: create initial session
const sessionId = generateSecureSessionId();
res.cookie('sessionId', sessionId, { httpOnly: true });

// After successful authentication: regenerate session
app.post('/login', async (req, res) => {
  const user = await authenticate(req.body);
  if (user) {
    // CRITICAL: regenerate session ID
    req.session.regenerate((err) => {
      if (err) return res.status(500).send('Error');
      req.session.userId = user.id;
      res.json({ success: true });
    });
  }
});

Secure Session Management

// Use secure, random session IDs
function generateSecureSessionId() {
  return crypto.randomBytes(32).toString('hex');
}

// Set secure cookie attributes
res.cookie('sessionId', sessionId, {
  httpOnly: true,
  secure: true,
  sameSite: 'strict',
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
});

// Invalidate old sessions on logout
app.post('/logout', (req, res) => {
  req.session.destroy((err) => {
    res.clearCookie('sessionId');
    res.json({ success: true });
  });
});

Token Validation

// JWT example with proper validation
app.use((req, res, next) => {
  const token = req.headers.authorization?.replace('Bearer ', '');
  
  if (!token) return next(); // No token = no session fixation possible
  
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['HS256'],
      maxAge: '24h'
    });
    req.user = decoded;
    next();
  } catch (err) {
    // Invalid token - don't create session
    next();
  }
});

Session fixation vulnerabilities have caused significant security incidents across major platforms. While specific CVEs for pure session fixation are rare (as it's often combined with other authentication flaws), the impact is well-documented:

• Financial services APIs: Attackers have used session fixation to maintain access to banking APIs even after customers changed passwords, leading to unauthorized transactions
• Enterprise SaaS platforms: Session fixation in single sign-on implementations allowed attackers to access multiple integrated services using a single compromised session
• E-commerce APIs: Attackers exploited session fixation to maintain shopping cart access and complete purchases using stored payment methods

The vulnerability is particularly dangerous because it provides persistent access without requiring ongoing credential compromise. Attackers can maintain access to user accounts indefinitely if session fixation isn't properly addressed.

middleBrick's session fixation detection helps identify these vulnerabilities before they can be exploited, providing specific findings about session management weaknesses and actionable remediation guidance to prevent account takeover attacks.