SV.SESSION.FIXATION.COOKIE
Cookies should not be vulnerable to session fixation
Klocwork reports an SV.ECV.TRUSTMANAGER defect when a tainted value is used to set the JSESSIONID cookie.
Vulnerability and risk
By using tainted data in cookies, attackers can set the session identifier to a known value that allows an attacker to share the session with the victim. Attackers can then gain unauthorized access to sensitive information.
Mitigation and prevention
Avoid using tainted data in JSESSIONID cookies.
Vulnerable code example
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.io.IOException;
public class Test {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String value = req.getParameter("value");
Cookie cookie = new Cookie("jsessionid", value); // SV.SESSION.FIXATION.COOKIE
}
}
Klocwork reports an SV.SESSION.FIXATION.COOKIE defect at line 9, because tainted data from the request is used to set the session ID in the cookie.
Fixed code example
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.io.IOException;
public class Test {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
SecureRandom secureRandom = SecureRandom.getInstance("NativePRNG");
long value = secureRandom.nextLong();
Cookie cookie = new Cookie("jsessionid", value);
}
}
Klocwork no longer reports an SV.SESSION.FIXATION.COOKIE defect because the JSESSIONID cookie is set to a random value.
Related checkers
External guidance
- CWE-384: Session Fixation
- OWASP A2:2017 Broken Authentication
- OWASP A7:2021 Identification and Authentication Failures
- V-222577 (APSC-DV-002230): The application must not expose session IDs.
- V-222578 (APSC-DV-002240): The application must destroy the session ID value and/or cookie on logoff or browser close.
Security training
Application security training materials provided by Secure Code Warrior.