9

My web application is only accessible for authenticated users. Before login the user can only see the main page with a button to log in. The application assign a session ID on the main page, the authentication is handled by other application.

After login and coming back to my application the user still has the same session ID. However, it will be changed after logout.

OWASP ASVS states that session id should be changed on login, but I do not see a clear point why it is necessary for this situation? Is it necessary to change it?

Anders
  • 64,406
  • 24
  • 178
  • 215
user187205
  • 1,163
  • 3
  • 15
  • 24

1 Answers1

9

The reason why it is best to change session ID's upon login is due to potential man-in-the-middle vulnerabilities. If an attacker captures your session ID, they can use it to pose as the legitimate user. This is called a session-fixation vulnerability. Changing session ID's upon every login will help to prevent this vulnerability, as the previous session ID will be deemed invalid and the attacker can not use it to authenticate anymore.

References:

https://www.owasp.org/index.php/Session_fixation https://www.owasp.org/index.php/Session_hijacking_attack

Henry F
  • 626
  • 1
  • 6
  • 13