Skip to main content

Session Fixation


Severity High
Score 8.8/10


Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of the session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to session fixation. This issue affects versions 2.0.0BETA1 through 4.4.49, 5.0.0-BETA1 through 5.4.19, 6.0.0-BETA1 through 6.0.19, 6.1.0-BETA1 through 6.1.11, and 6.2.0-BETA1 through 6.2.5.

  • LOW
  • HIGH
  • NONE
  • HIGH
  • HIGH

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.


Advisory Timeline

  • Published