igbuend/session-fixation-anti-pattern
skills/session-fixation-anti-pattern/SKILL.md
Security anti-pattern for session fixation vulnerabilities (CWE-384). Use when generating or reviewing code that handles user sessions, login flows, or authentication state changes. Detects failure to regenerate session IDs after authentication.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard session-fixation-anti-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:20 PM21.3s1 file scanned
SKILL.md
- name:
- session-fixation-anti-pattern
- description:
- Security anti-pattern for session fixation vulnerabilities (CWE-384). Use when generating or reviewing code that handles user sessions, login flows, or authentication state changes. Detects failure to regenerate session IDs after authentication.
Session Fixation Anti-Pattern
Severity: High
Summary
Attackers fix a user's session ID before login. The attacker obtains a valid session ID, tricks the victim into using it, and when authentication fails to regenerate the session ID, hijacks the victim's authenticated session.
The Anti-Pattern
The anti-pattern is reusing the same session ID before and after authentication.
BAD Code Example
# VULNERABLE: Session ID not regenerated after login.
from flask import Flask, session, redirect, url_for, request
app = Flask(__name__)
app.secret_key = 'your_secret_key' # Insecure in production
@app.route('/')
def index():
if 'username' in session:
return f'Hello {session["username"]}! <a href="/logout">Logout</a>'
return 'Welcome, please <a href="/login">Login</a>'
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if check_credentials(username, password):
# FLAW: Session ID not regenerated.
# Existing session (potentially attacker-fixed) now authenticated.
session['username'] = username
return redirect(url_for('index'))
return 'Invalid credentials'
return '''
<form method="post">
<p><input type=text name=username></p>
<p><input type=password name=password></p>
<p><input type=submit value=Login></p>
</form>
'''
# Attack:
# 1. Attacker gets session_id=ABCD
# 2. Tricks victim into using session_id=ABCD (XSS, referrer, etc.)
# 3. Victim logs in, server reuses session_id=ABCD
# 4. Attacker hijacks authenticated session with session_id=ABCD
GOOD Code Example
# SECURE: Regenerate session ID after login and privilege changes.
from flask import Flask, session, redirect, url_for, request
app = Flask(__name__)
app.secret_key = 'your_secret_key' # Use strong, securely managed key
@app.route('/')
def index_secure():
if 'username' in session:
return f'Hello {session["username"]}! <a href="/logout">Logout</a>'
return 'Welcome, please <a href="/login_secure">Login Securely</a>'
@app.route('/login_secure', methods=['GET', 'POST'])
def login_secure():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if check_credentials(username, password):
# Regenerate session ID after authentication.
# Creates new session, invalidating pre-login session ID.
session.regenerate()
session['username'] = username
return redirect(url_for('index_secure'))
return 'Invalid credentials'
return '''
<form method="post">
<p><input type=text name=username></p>
<p><input type=password name=password></p>
<p><input type=submit value=Login></p>
</form>
'''
@app.route('/logout')
def logout():
session.clear() # Invalidate session data.
session.regenerate() # Regenerate to prevent reuse.
return redirect(url_for('index_secure'))
Detection
- Review login flows: Trace the code paths involved in user authentication. Verify that after a successful login, the application explicitly invalidates the old session and generates a completely new session ID.
- Check session management libraries: Understand how your web framework or session management library handles session ID generation and regeneration. Ensure it's used correctly.
- Test with a fixed session ID: Manually attempt to set a session ID (e.g., using browser developer tools or a proxy like Burp Suite) before logging in. After logging in, check if the session ID remains the same.
Prevention
- [ ] Regenerate session ID after authentication: Always create new session after successful login, invalidating pre-login session ID.
- [ ] Regenerate on privilege changes: New session ID when users gain elevated permissions (e.g., admin promotion).
- [ ] Invalidate old sessions server-side: Ensure old session IDs cannot be reused after regeneration.
- [ ] Set secure cookie flags:
HttpOnly: Prevents client-side script accessSecure: HTTPS-only transmissionSameSite: CSRF protection
- [ ] Implement session timeouts: Use both absolute and idle timeouts to limit attack window.
Related Security Patterns & Anti-Patterns
- Missing Authentication Anti-Pattern: The foundation of secure user management, without which session fixation is more easily exploited.
- JWT Misuse Anti-Pattern: When using JWTs, token revocation and expiration become crucial for managing session state securely.
- Insufficient Randomness Anti-Pattern: Session IDs must be generated using a cryptographically secure random number generator to prevent prediction.
References
- OWASP Top 10 A07:2025 - Authentication Failures
- OWASP GenAI LLM06:2025 - Excessive Agency
- OWASP API Security API2:2023 - Broken Authentication
- OWASP Session Management Cheat Sheet
- CWE-384: Session Fixation
- CAPEC-61: Session Fixation
- PortSwigger: Authentication
- Source: sec-context
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026