ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5876/rationale.adoc

8 lines
819 B
Plaintext
Raw Normal View History

Modify rule S5876: Update to LayC format (APPSEC-969) (#2967) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2023-08-30 09:09:58 +02:00
Session fixation attacks take advantage of the way web applications manage session identifiers. Here's how a session fixation attack typically works:
* When a user visits a website or logs in, a session is created for them.
* This session is assigned a unique session identifier, stored in a cookie, in local storage, or through URL parameters.
* In a session fixation attack, an attacker tricks a user into using a predetermined session identifier controlled by the attacker. For example, the attacker sends the victim an email containing a link with this predetermined session identifier.
* When the victim clicks on the link, the web application does not create a new session identifier but uses this identifier known to the attacker.
* At this point, the attacker can hijack and impersonate the victim's session.
Reference in New Issue Copy Permalink