As far as I can tell from the pentesting report, the main problem is that Auth0 doesn’t invalidate the existing session cookie after a new login. Could you please explain how I could fix Session Fixation invulnerability?
Here is the pentest’s report:
We used the original cookies after login to generate a new set of session cookies with the same structure. We injected those in the browser and logged in again.
The server did not change the session cookies after this new login. Therefore, the forged cookies could still be used to continue accessing the account potentially.
The forged cookies used were:
connect.sid=…&3Ad
Risk description:
The risk is that an attacker might be able to fixate or set a user’s session ID to one known to them, perhaps through social engineering or by leaving a fixated cookie on a shared or public computer. When a victim logs in using the fixated session ID, they attach the attacker-set session to their authenticated account.
Recommendation:
Ensure a new and cryptographically secure random session ID is generated post-authentication. After a successful authentication, invalidate the user’s previous session tokens.
