Checking Session Security
Overview
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
Prerequisites
- Application source code accessible in
${CLAUDESKILLDIR}/
- Session management code locations identified (auth modules, middleware, session stores)
- Framework and language identified (Express.js, Django, Spring Boot, Rails, ASP.NET, etc.)
- Session configuration files available (
session.config.*, settings.py, application.yml)
- Write permissions for reports in
${CLAUDESKILLDIR}/security-reports/
Instructions
- Locate session management code by searching for patterns:
/auth/, /session/, /middleware/, and framework-specific files (settings.py, application.yml, web.config).
- Analyze session ID generation: verify use of a cryptographically secure random generator with at least 128 bits of entropy. Flag predictable patterns such as
Date.now(), Math.random(), sequential IDs, or timestamp-based tokens (CWE-330).
- Check session fixation protections: confirm the session ID is regenerated after authentication (
req.session.regenerate() in Express, request.session.cycle_key() in Django). Flag any login handler that sets authenticated = true without regenerating the session ID.
- Validate cookie security attributes: verify
HttpOnly (prevents XSS-based token theft), Secure (HTTPS-only transmission), SameSite=Lax|Strict (CSRF mitigation), and Host-/Secure- prefix usage. Flag any missing attribute.
- Review session expiration: check idle timeout (recommend 15-30 min for sensitive apps), absolute timeout (recommend 4-8 hours), and sliding window configuration. Flag sessions without any expiration.
- Audit session invalidation: verify logout handlers destroy server-side session state and clear client cookies. Confirm password reset and privilege escalation flows invalidate existing sessions.
- Inspect session storage: flag in-memory stores in production (no persistence across restarts), unencrypted session data at rest, and missing integrity checks on session payloads (e.g., unsigned JWT session tokens).
- Identify attack vectors: assess exposure to session fixation, CSRF via session riding, replay attacks from stolen tokens, and session prediction from weak ID generation.
<
