Skip to main content


Home Session fixation attack

Session fixation attack

(also session fixing)

Session fixation attack definition

A session fixation attack is a way to force someone to use a specific session ID while they browse. The cybercriminal prepares for the attack by first obtaining a valid session ID for the targeted website. Then they trick the victim into logging into the website (for example, a banking account) using the predefined session ID. This can be done through phishing, smishing, or other social engineering attack. Once the victim clicks on the link and authenticates using that predefined ID, the attacker will be able to access the account and impersonate the owner.

How to prevent session fixation attacks

  • Beware of phishing and never open a link if it’s the least bit suspicious. If you receive a message from your bank, open a new tab and enter the website URL manually. This way, you’ll avoid using a fixed session ID and be able to check whether everything is OK on your account.