Checking Session Security

Overview

Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).

Prerequisites

• Application source code accessible in ${CLAUDE_SKILL_DIR}/
• Session management code locations identified (auth modules, middleware, session stores)
• Framework and language identified (Express.js, Django, Spring Boot, Rails, ASP.NET, etc.)
• Session configuration files available (session.config.*, settings.py, application.yml)
• Write permissions for reports in ${CLAUDE_SKILL_DIR}/security-reports/

Instructions

1. Locate session management code by searching for patterns: **/auth/**, **/session/**, **/middleware/**, and framework-specific files (settings.py, application.yml, web.config).
2. Analyze session ID generation: verify use of a cryptographically secure random generator with at least 128 bits of entropy. Flag predictable patterns such as Date.now(), Math.random(), sequential IDs, or timestamp-based tokens (CWE-330).
3. Check session fixation protections: confirm the session ID is regenerated after authentication (req.session.regenerate() in Express, request.session.cycle_key() in Django). Flag any login handler that sets authenticated = true without regenerating the session ID.
4. Validate cookie security attributes: verify HttpOnly (prevents XSS-based token theft), Secure (HTTPS-only transmission), SameSite=Lax|Strict (CSRF mitigation), and __Host-/__Secure- prefix usage. Flag any missing attribute.
5. Review session expiration: check idle timeout (recommend 15-30 min for sensitive apps), absolute timeout (recommend 4-8 hours), and sliding window configuration. Flag sessions without any expiration.
6. Audit session invalidation: verify logout handlers destroy server-side session state and clear client cookies. Confirm password reset and privilege escalation flows invalidate existing sessions.
7. Inspect session storage: flag in-memory stores in production (no persistence across restarts), unencrypted session data at rest, and missing integrity checks on session payloads (e.g., unsigned JWT session tokens).
8. Identify attack vectors: assess exposure to session fixation, CSRF via session riding, replay attacks from stolen tokens, and session prediction from weak ID generation.
9. Produce the session security report at ${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with per-finding severity, CWE mapping, vulnerable code snippet, and remediated code example.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the detailed implementation guide. See ${CLAUDE_SKILL_DIR}/references/critical-findings.md for example vulnerability patterns with before/after code.

Output

• Session Security Report: ${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with findings by severity
• Cookie Attribute Matrix: per-cookie compliance table (HttpOnly, Secure, SameSite, prefix)
• Vulnerable Code Listings: each finding with file path, line number, vulnerable snippet, and fix
• Framework-Specific Remediation: configuration changes tailored to the detected framework

Error Handling

Error	Cause	Solution
No session handling code found in ${CLAUDE_SKILL_DIR}/	Unusual file structure or framework	Search for framework-specific patterns; request explicit file paths
Unknown session framework	Custom or uncommon session library	Apply fundamental session security principles; note limited framework-specific guidance
Cannot analyze minified/compiled code	Production bundles instead of source	Request unminified source code; document limitation
Non-standard session implementation	Custom session management bypassing framework	Apply extra scrutiny; custom implementations are higher risk (CWE-384, CWE-613)
Session config in environment variables, not code	Externalized configuration	Request .env.example or deployment config documentation

Examples

• "Audit session cookie flags and rotation logic for fixation and CSRF risks in the Express.js application."
• "Review logout and password reset flows to confirm sessions are invalidated correctly and old tokens cannot be replayed."
• "Check session ID generation entropy and storage backend security for the Django application."

Resources

• OWASP Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
• CWE-384 Session Fixation: https://cwe.mitre.org/data/definitions/384.html
• CWE-613 Insufficient Session Expiration: https://cwe.mitre.org/data/definitions/613.html
• CWE-319 Cleartext Transmission: https://cwe.mitre.org/data/definitions/319.html
• NIST 800-63B Digital Authentication: https://pages.nist.gov/800-63-3/sp800-63b.html
• ${CLAUDE_SKILL_DIR}/references/critical-findings.md -- example vulnerability patterns
• ${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference
• https://intentsolutions.io