“Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person’s session identifier (SID). Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data..” from Wiki.
Let’s see some countermeasures we can take to prevent this sort of vulnerability.
* Generate a new session identifier whenever the user log in.
* Generate a new session identifier whenever the user must re-authenticate.
* Generate a new session identifier on each request.
* Generate a new session identifier every 3-5 minutes.
* Perform an extra check by matching the User-Agent.
* Perform an extra check by matching the IP.
* Store the session identifier in HTTP cookies.
* The logout mechanism must destroy all session data.
* Generate your own random, unpredictable session identifier.