How to fix Session Fixation for Universal Login?

As far as I can tell from the pentesting report, the main problem is that Auth0 doesn’t invalidate the existing session cookie after a new login. Could you please explain how I could fix Session Fixation invulnerability?

Here is the pentest’s report:

We used the original cookies after login to generate a new set of session cookies with the same structure. We injected those in the browser and logged in again.

The server did not change the session cookies after this new login. Therefore, the forged cookies could still be used to continue accessing the account potentially.

The forged cookies used were:

connect.sid=…&3Ad

Risk description:

The risk is that an attacker might be able to fixate or set a user’s session ID to one known to them, perhaps through social engineering or by leaving a fixated cookie on a shared or public computer. When a victim logs in using the fixated session ID, they attach the attacker-set session to their authenticated account.

Recommendation:

Ensure a new and cryptographically secure random session ID is generated post-authentication. After a successful authentication, invalidate the user’s previous session tokens.

pentest-report1163×1089 128 KB

Hello,

I came to ask the same question as our audit revealed the session fixation issue too.

I was wrong about the origin of the connect.sid cookie. It turned out that it was created by express-session nodejs library and the purpose of it was to keep track of unauthorized users. For that reason the pentests could find that session. The issue was solved by setting saveUninitialized: false in the express-session’s settings.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.