| Details |
CWE-384: Session Fixation
The application never invalidates user sessions, which can lead to session fixation attacks. As a result, the session identifier stays the same before, during, and after a user has logged in or out. An attacker may attempt to force a user into using a specific session identifier, then hijack the session once the user has logged in.
Invalidate any existing session after the user has authenticated but before calling methods that establish the UserPrincipal. Also, invalidate the session object when a user logs out, otherwise the session will remain valid on the server.
OWASPWASC