2d4813b028
## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
8 lines
819 B
Plaintext
8 lines
819 B
Plaintext
Session fixation attacks take advantage of the way web applications manage session identifiers. Here's how a session fixation attack typically works:
|
|
|
|
* When a user visits a website or logs in, a session is created for them.
|
|
* This session is assigned a unique session identifier, stored in a cookie, in local storage, or through URL parameters.
|
|
* In a session fixation attack, an attacker tricks a user into using a predetermined session identifier controlled by the attacker. For example, the attacker sends the victim an email containing a link with this predetermined session identifier.
|
|
* When the victim clicks on the link, the web application does not create a new session identifier but uses this identifier known to the attacker.
|
|
* At this point, the attacker can hijack and impersonate the victim's session.
|