Session Fixation in Adonisjs

Session fixation attacks in Adonisjs occur when an attacker sets a known session identifier and tricks a victim into using it, allowing the attacker to hijack the session after the victim authenticates. This vulnerability is particularly dangerous in Adonisjs applications because the framework's default session management can be misconfigured to allow predictable session IDs.

The most common Adonisjs-specific manifestation involves using the Adonisjs session module without proper session rotation. When developers call session.put() or manually manipulate session data without rotating the session ID, attackers can exploit this to maintain access across authentication boundaries. Another pattern occurs when Adonisjs applications use query parameters or URL fragments to pass session identifiers, which can be captured and reused by attackers.

Adonisjs applications often expose session fixation vulnerabilities through improper use of the auth.attempt() method. If developers don't call auth.attempt() with proper session rotation, the session ID remains unchanged after login, allowing attackers to pre-generate valid session identifiers. This is especially problematic in Adonisjs when using the session driver with custom session stores or when implementing single sign-on (SSO) flows where session tokens are passed between services.

The framework's middleware stack can also introduce session fixation risks. Adonisjs's Session middleware, when configured with predictable session names or when using shared session stores across different applications, can allow attackers to guess or predict session identifiers. Additionally, Adonisjs applications that use the flash messaging system without proper session isolation can inadvertently expose session identifiers through URL parameters or form fields.

A particularly dangerous Adonisjs-specific pattern involves using the response.cookie() method to set session identifiers manually. When developers bypass Adonisjs's built-in session management to set custom cookies containing session data, they often forget to implement proper session rotation and secure cookie attributes, creating an easy target for session fixation attacks.

Detecting session fixation in Adonisjs applications requires examining both the application code and runtime behavior. Using middleBrick's API security scanner, you can identify Adonisjs-specific session fixation vulnerabilities by scanning your application endpoints. The scanner tests for predictable session ID generation, missing session rotation after authentication, and improper session handling in Adonisjs-specific code patterns.

Code review for Adonisjs applications should focus on these specific patterns:

// Vulnerable pattern - no session rotation after login
async login({ auth, request, session }) {
  const { email, password } = request.all()
  await auth.attempt(email, password)
  // Session ID remains the same - vulnerable to fixation
  session.flash('success', 'Logged in successfully')
  return response.redirect('/dashboard')
}

// Vulnerable pattern - manual session manipulation
async createSession({ auth, session }) {
  const user = await User.findBy('email', email)
  session.put('userId', user.id) // No session rotation
  session.put('role', user.role)
  return 'Session created'
}

// Vulnerable pattern - predictable session names
const sessionConfig = {
  session: {
    name: 'adonis-session', // Predictable name
    secret: Env.get('APP_KEY'),
    driver: 'redis'
  }
}

middleBrick's scanner specifically tests Adonisjs applications for these vulnerabilities by attempting to establish sessions before authentication and verifying whether session IDs change after login. The scanner also checks for Adonisjs-specific middleware configurations that might expose session identifiers through headers or cookies.

Runtime detection involves monitoring for these Adonisjs-specific indicators: unchanged session IDs across authentication boundaries, predictable session cookie names, and session identifiers appearing in URLs or form fields. The scanner tests multiple authentication flows to verify that session rotation occurs properly in all authentication scenarios.

Remediating session fixation in Adonisjs requires implementing proper session management patterns using the framework's built-in features. The most critical fix is implementing session rotation after authentication using Adonisjs's auth.attempt() method with proper configuration.

// Secure pattern - proper session rotation
async login({ auth, request, response }) {
  const { email, password } = request.all()
  
  // This automatically rotates session ID after successful auth
  await auth.attempt(email, password, {
    redirect: '/dashboard'
  })
  
  return response.redirect('/dashboard')
}

// Secure pattern - explicit session rotation
async regenerateSession({ auth, session }) {
  // Regenerate session after privilege changes
  await session.regenerate()
  session.put('userId', auth.user.id)
  session.put('role', auth.user.role)
  return 'Session regenerated'
}

// Secure configuration - unpredictable session names
const sessionConfig = {
  session: {
    name: Env.get('SESSION_NAME', `adonis_${Math.random().toString(36).substr(2, 9)}`),
    secret: Env.get('APP_KEY'),
    driver: 'redis',
    cookie: {
      httpOnly: true,
      secure: true,
      sameSite: 'strict',
      maxAge: 24 * 60 * 60 * 1000 // 24 hours
    }
  }
}

Adonisjs provides several built-in methods for secure session management. Use session.regenerate() after any privilege escalation or authentication event. Implement proper session timeout policies using Adonisjs's session configuration to automatically expire sessions after inactivity periods.

For applications using Adonisjs's auth system, always use the auth.attempt() or auth.login() methods rather than manual session manipulation. These methods automatically handle session rotation and security best practices. When implementing custom authentication flows, always call session.regenerate() after successful authentication.

Additional security measures include implementing proper session store isolation, using secure cookie attributes (HttpOnly, Secure, SameSite), and avoiding session identifier transmission through URLs or form fields. Adonisjs's middleware system can be configured to automatically regenerate sessions based on specific conditions or time intervals.