Category: Manage User Sessions
Draft
Summary
Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-384 | Session Fixation | Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker who knows that session identifier to hijack the user's authenticated session. |
| CWE-488 | Exposure of Data Element to Wrong Session | This vulnerability occurs when an application fails to properly isolate data between different user sessions, allowing information from one user's session to leak into another's. |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | This vulnerability occurs when a Java application stores an object in the user's session that cannot be serialized, which can break critical application features and hurt reliability. |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | This vulnerability occurs when a J2EE application uses session identifiers that are too short, making them easier for attackers to predict or capture. |
| CWE-613 | Insufficient Session Expiration | Insufficient session expiration occurs when an application allows old session tokens or IDs to remain valid for too long, letting attackers reuse them to gain unauthorized access. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | This weakness occurs when an application requires a user to follow a specific sequence of actions, but fails to enforce that order. Attackers can exploit this by skipping steps, performing actions out of sequence, or interrupting the flow, which can corrupt the business logic or put the system into an invalid state. |
| CWE-1008 | Architectural Concepts | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.