session-fixation-anti-pattern
Installation
SKILL.md
Session Fixation Anti-Pattern
Severity: High
Summary
Attackers fix a user's session ID before login. The attacker obtains a valid session ID, tricks the victim into using it, and when authentication fails to regenerate the session ID, hijacks the victim's authenticated session.
The Anti-Pattern
The anti-pattern is reusing the same session ID before and after authentication.
BAD Code Example
# VULNERABLE: Session ID not regenerated after login.
from flask import Flask, session, redirect, url_for, request