Skill Wiki
Session Id Rotated On Login
@security/check-session-id-rotated-on-login
$ prime install @security/check-session-id-rotated-on-loginProjection
Always in _index.xml · the agent never has to ask for this.
SessionIdRotatedOnLogin [check] v0.1.0
Loaded when retrieval picks the atom as adjacent / supporting.
SessionIdRotatedOnLogin [check] v0.1.0
Label
Session id is regenerated on authentication and privilege change
Assertion
On every successful authentication, password change, MFA enrolment, or role escalation, the server invalidates the pre-event session id and issues a new one in a new cookie. The old id must not be valid afterwards.
Evidence
- Login handler calls the framework's
session.regenerate()(or equivalent) and forces a newSet-Cookieon the response. - Server-side session store no longer accepts the pre-login id.
- The same rotation occurs on privilege change (admin role granted, password changed, MFA reset).
Failure Mode
An attacker who set the victim's session id pre-login (via a malicious link or an attacker-controlled subdomain) is now logged in as the victim post-login.
Loaded when retrieval picks the atom as a focal / direct hit.
SessionIdRotatedOnLogin [check] v0.1.0
Label
Session id is regenerated on authentication and privilege change
Assertion
On every successful authentication, password change, MFA enrolment, or role escalation, the server invalidates the pre-event session id and issues a new one in a new cookie. The old id must not be valid afterwards.
Evidence
- Login handler calls the framework's
session.regenerate()(or equivalent) and forces a newSet-Cookieon the response. - Server-side session store no longer accepts the pre-login id.
- The same rotation occurs on privilege change (admin role granted, password changed, MFA reset).
Failure Mode
An attacker who set the victim's session id pre-login (via a malicious link or an attacker-controlled subdomain) is now logged in as the victim post-login.
Rationale
Session fixation attacks plant a known session id on the victim before login (via a malicious link, an open redirect, or an attacker-controlled subdomain). Rotating the id at the moment privilege increases ensures any attacker-known id is worthless after authentication.
Label
Session id is regenerated on authentication and privilege change
Assertion
On every successful authentication, password change, MFA enrolment, or role escalation, the server invalidates the pre-event session id and issues a new one in a new cookie. The old id must not be valid afterwards.
Evidence
- Login handler calls the framework's
session.regenerate()(or equivalent) and forces a newSet-Cookieon the response. - Server-side session store no longer accepts the pre-login id.
- The same rotation occurs on privilege change (admin role granted, password changed, MFA reset).
Failure Mode
An attacker who set the victim's session id pre-login (via a malicious link or an attacker-controlled subdomain) is now logged in as the victim post-login.
Source
prime-system/examples/security-appsec/primes/compiled/@security/check-session-id-rotated-on-login/atom.yaml