Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5876

A new session should be created during user authentication

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Create a new session during user authentication to prevent session fixation attacks.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way, Sonar way recommended
    • Covered Languages:
      Java, JavaScript, PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-384
    • OWASP:
      A2

      Description

      Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it's a good practice to generate a new session each time a user authenticates and delete/invalidate the existing session (the one possibly known by the attacker).

      See

        Attachments

          Issue Links

          1.
          PHP RSPEC-6090 Language-Specification Active Unassigned
          2.
          Java RSPEC-5877 Language-Specification Active Unassigned
          3.
          Javascript RSPEC-6102 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              eric.therond Eric Therond
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: