Session Fixation: A token and an id

No, you are not vulnerable to session fixation, because of this authToken that you give to your clients when they log in.

You would be if

...the attacker has fixed a session he knows on the victim's computer, then the victim logged in with this session and made it authentic, now the attacker can use only this session to get access. But you are giving your clients new secret when they log in - the authToken.

without something new you give to your clients when they sign in, you would be vulnerable.

I am confused because of the extra token that is given when the user logs in.

In your model the authToken plays the role of the sessionID that you generate and give to your clients when they log in.


We can't tell for sure with the information provided.

In order to verify, you could try to access some protected resource (which is only available after login), with different Requests:

  1. Request with session-ID and without authToken
  2. Request with authToken and without session-ID

If one of those Requests are successful, you know, where the session is really stored and can therefore tell, if it is a session fixation or not.