Session Fixation in Firestore
How Session Fixation Manifests in Firestore
Session fixation in Firestore environments occurs when an attacker can set or predict a session identifier that the application later trusts, allowing unauthorized access to user data. Unlike traditional web session fixation that exploits HTTP cookies, Firestore session fixation typically emerges through predictable document IDs, insecure authentication flows, or Firebase Authentication token manipulation.
The most common Firestore-specific manifestation involves Firebase Authentication ID tokens being reused across sessions. When a user authenticates, Firebase returns an ID token that Firestore uses to authorize database reads and writes. If an application fails to properly invalidate tokens on logout or allows token reuse without proper validation, an attacker who obtains a valid token can maintain persistent access.
Firestore-Specific Detection
Detecting session fixation vulnerabilities in Firestore requires examining both application code and Firebase configuration. The most effective approach combines static code analysis with runtime scanning to identify authentication flows, document access patterns, and security rule configurations.
Code review should focus on authentication token handling patterns. Look for instances where ID tokens are stored without proper security measures, where token reuse isn't properly controlled, or where authentication state isn't properly validated on each request. Pay special attention to logout functionality - many session fixation vulnerabilities stem from failing to properly invalidate authentication tokens.