Get a quote

Vulnerability Fixation
Server not validating Session Tokens

Book a Free Consultation

Authenticity of the session token is not being checked and validated at the server-side

In a secure web application, once a user logs in, the server usually issues a session token. This token is often stored in a cookie, localStorage, or passed as a bearer token. It is used to verify the user’s identity on future requests.

This vulnerability happens when the server fails to check if the session token is legitimate. This means:

  • The token may be accepted even if it has been altered, generated by the user, or expired.
  • The application automatically trusts any token given by the client, without checking where it came from or if it is valid.

Real-world Example: If an attacker creates or changes a session token and the server does not verify it against a trusted session store or signature, the attacker can bypass authentication and gain unauthorized access. This is a typical case of Broken Authentication and is a serious issue according to the OWASP Top 10.

Impact of this Vulnerability

  • Unauthorized Access: Attackers can forge session tokens and impersonate valid users.
  • Session Hijacking: token validation, tokens leaked via XSS or logs can be reused indefinitely.
  • Escalation: Attackers can generate tokens with elevated roles (e.g., admin) and gain access to restricted resources.
  • Compliance Breach: Violates standard security policies required under GDPR, HIPAA, and PCI-DSS.

Solution to Fix the Vulnerability

To fix this issue effectively, developers need to use strict session token validation methods:

Always Validate Tokens Server-Side
On each request, check the session token against the server-side session store for opaque tokens. For JWTs or signed tokens, verify:
Signature
Expiry (exp)
Issuer (iss)
Audience (aud)

Use Secure Token Standards
Use signed JWT tokens with strong algorithms and never accept unsigned tokens. Store sensitive sessions in HTTP-only, Secure cookies with the right flags, such as SameSite=Strict.

Token Expiry & Rotation
Use short-lived tokens and refresh token methods. Invalidate sessions after logout or after a period of inactivity.

Avoid Common Pitfalls
Do not trust tokens from the client without validation. Avoid custom or outdated token methods that do not have cryptographic protection.

Vulnerable Libraries or Practices
Do not use older versions of token libraries like:

  • jsonwebtoken (Node.js) before v8.5.1
  • PyJWT (Python) before v2.0
  • Custom token logic without cryptographic signatures

Valency Networks Profile

Also Read :

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More