Analyze session management implementations to identify security vulnerabilities in web applications. Use when you need to audit session handling, check for session fixation risks, review session timeout configurations, or validate session ID generation security. Trigger with phrases like "check session security", "audit session management", "review session handling", or "session fixation vulnerability".
npx claudepluginhub flight505/skill-forge --plugin session-security-checkerThis skill is limited to using the following tools:
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
Prevents silent decimal mismatch bugs in EVM ERC-20 tokens via runtime decimals lookup, chain-aware caching, bridged-token handling, and normalization. For DeFi bots, dashboards using Python/Web3, TypeScript/ethers, Solidity.
Share bugs, ideas, or general feedback.
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
${CLAUDE_SKILL_DIR}/session.config.*, settings.py, application.yml)${CLAUDE_SKILL_DIR}/security-reports/**/auth/**, **/session/**, **/middleware/**, and framework-specific files (settings.py, application.yml, web.config).Date.now(), Math.random(), sequential IDs, or timestamp-based tokens (CWE-330).req.session.regenerate() in Express, request.session.cycle_key() in Django). Flag any login handler that sets authenticated = true without regenerating the session ID.HttpOnly (prevents XSS-based token theft), Secure (HTTPS-only transmission), SameSite=Lax|Strict (CSRF mitigation), and __Host-/__Secure- prefix usage. Flag any missing attribute.${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with per-finding severity, CWE mapping, vulnerable code snippet, and remediated code example.See ${CLAUDE_SKILL_DIR}/references/implementation.md for the detailed implementation guide. See ${CLAUDE_SKILL_DIR}/references/critical-findings.md for example vulnerability patterns with before/after code.
${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with findings by severity| Error | Cause | Solution |
|---|---|---|
No session handling code found in ${CLAUDE_SKILL_DIR}/ | Unusual file structure or framework | Search for framework-specific patterns; request explicit file paths |
| Unknown session framework | Custom or uncommon session library | Apply fundamental session security principles; note limited framework-specific guidance |
| Cannot analyze minified/compiled code | Production bundles instead of source | Request unminified source code; document limitation |
| Non-standard session implementation | Custom session management bypassing framework | Apply extra scrutiny; custom implementations are higher risk (CWE-384, CWE-613) |
| Session config in environment variables, not code | Externalized configuration | Request .env.example or deployment config documentation |
${CLAUDE_SKILL_DIR}/references/critical-findings.md -- example vulnerability patterns${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference