Skip to main content

Session Fixation


Severity High
Score 7.5/10


When using FORM authentication with Apache Tomcat before 7.0.99, 8.x before 8.5.50 and 9.x before 9.0.30 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

  • HIGH
  • HIGH
  • NONE
  • HIGH
  • HIGH

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Advisory Timeline

  • Published