Analyze session management implementations to identify security vulnerabilities in web applications.
Use when you need to audit session handling, check for session fixation risks, review session timeout configurations, or validate session ID generation security.
Trigger with phrases like "check session security", "audit session management", "review session handling", or "session fixation vulnerability".
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
Prerequisites
Application source code accessible in ${CLAUDE_SKILL_DIR}/
Framework and language identified (Express.js, Django, Spring Boot, Rails, ASP.NET, etc.)
Session configuration files available (session.config.*, settings.py, application.yml)
Write permissions for reports in ${CLAUDE_SKILL_DIR}/security-reports/
Instructions
Locate session management code by searching for patterns: **/auth/**, **/session/**, , and framework-specific files (, , ).
**/middleware/**
settings.py
application.yml
web.config
Analyze session ID generation: verify use of a cryptographically secure random generator with at least 128 bits of entropy. Flag predictable patterns such as Date.now(), Math.random(), sequential IDs, or timestamp-based tokens (CWE-330).
Check session fixation protections: confirm the session ID is regenerated after authentication (req.session.regenerate() in Express, request.session.cycle_key() in Django). Flag any login handler that sets authenticated = true without regenerating the session ID.
Validate cookie security attributes: verify HttpOnly (prevents XSS-based token theft), Secure (HTTPS-only transmission), SameSite=Lax|Strict (CSRF mitigation), and __Host-/__Secure- prefix usage. Flag any missing attribute.
Review session expiration: check idle timeout (recommend 15-30 min for sensitive apps), absolute timeout (recommend 4-8 hours), and sliding window configuration. Flag sessions without any expiration.
Audit session invalidation: verify logout handlers destroy server-side session state and clear client cookies. Confirm password reset and privilege escalation flows invalidate existing sessions.
Inspect session storage: flag in-memory stores in production (no persistence across restarts), unencrypted session data at rest, and missing integrity checks on session payloads (e.g., unsigned JWT session tokens).
Identify attack vectors: assess exposure to session fixation, CSRF via session riding, replay attacks from stolen tokens, and session prediction from weak ID generation.
Produce the session security report at ${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with per-finding severity, CWE mapping, vulnerable code snippet, and remediated code example.
See ${CLAUDE_SKILL_DIR}/references/implementation.md for the detailed implementation guide. See ${CLAUDE_SKILL_DIR}/references/critical-findings.md for example vulnerability patterns with before/after code.
Output
Session Security Report: ${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with findings by severity