Checking Session Security

Overview

Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).

Prerequisites

Application source code accessible in ${CLAUDE_SKILL_DIR}/
Session management code locations identified (auth modules, middleware, session stores)
Framework and language identified (Express.js, Django, Spring Boot, Rails, ASP.NET, etc.)
Session configuration files available (session.config.*, settings.py, application.yml)
Write permissions for reports in ${CLAUDE_SKILL_DIR}/security-reports/

Instructions

Locate session management code by searching for patterns: **/auth/**, **/session/**, **/middleware/**, and framework-specific files (settings.py, application.yml, web.config).
Analyze session ID generation: verify use of a cryptographically secure random generator with at least 128 bits of entropy. Flag predictable patterns such as Date.now(), Math.random(), sequential IDs, or timestamp-based tokens (CWE-330).
Check session fixation protections: confirm the session ID is regenerated after authentication (req.session.regenerate() in Express, request.session.cycle_key() in Django). Flag any login handler that sets authenticated = true without regenerating the session ID.
Validate cookie security attributes: verify HttpOnly (prevents XSS-based token theft), Secure (HTTPS-only transmission), SameSite=Lax|Strict (CSRF mitigation), and __Host-/__Secure- prefix usage. Flag any missing attribute.

checking-session-security

Checking Session Security

Overview

Prerequisites

Instructions

More from jeremylongshore/claude-code-plugins-plus-skills

backtesting-trading-strategies

mindmap-generator

svg-icon-generator

performance-lighthouse-runner

tracking-crypto-prices

d2-diagram-creator