Session Fixation

Session fixation is when an attacker creates a session, and in a way sends that session to the victim to use when logging in.

The victim authenticates him/her self using the attacker's session, and by doing that the attacker basically leveraged his/her session to be autheticated by another person. Let me use an analogy here just to make it clear what is going on, so imagine someone called Sam (the attacker) wanting to attend this event where it is exclusive for government agents only so Sam buys the ticket with his/her ID as a gift for you his/her friend Bob (the ticket being the attacker's generated session, bare in mind he/her hasn't authenticated him/her self still) and gave it to Bob (a government agent) to attend this event (to login using the given session) so Sam follows Bob to the event and after Bob checks in Sam comes after a while say 20 mins and tries to check in as if she/he just forgot something in her\his car and went out to take it, and tells the supervisor to check her ID (which she/he initially bought the ticket with) and according to the sysetem she\he indeed is the owner of the ticket of which was checked in by Bob 20 mins earlier so she/he gets in.

This issue occcurs when a developer creates a session token before authentication and fails to regenerate it after login.

Vulnerable Backend Implementation

When configuring session storage in Node.js, setting saveUninitialized: true without calling req.session.regenerate() which leads to this flaw:

app.use(
    session({
        secret: process.env.SESSION_SECRET,
        resave: false,
        saveUninitialized: true,
    };)
);