Fixation protection

Session fixation is a security vulnerability that allows an attacker to hijack a valid user session. This vulnerability arises when web applications reuse existing session IDs instead of generating new ones during the authentication process. By exploiting this flaw, attackers can potentially gain unauthorized access to a user's account and perform malicious actions on their behalf.

See the OWASP Session Fixation page for specific examples of how this attack works.

How does Clerk protect against session fixation?

Clerk resets the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.