Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Audits web app session management for vulnerabilities including fixation, ID generation, expiration, cookie attributes, storage, and invalidation.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin session-security-checkerHow this skill is triggered — by the user, by Claude, or both
Slash command
/session-security-checker:checking-session-securityThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
Executes OWASP WSTG OTG-SESS test cases to audit session token entropy, cookie security attributes, CSRF protection, session fixation, and logout completeness.
Audits session management for fixation, invalidation gaps, predictable IDs, JWT-as-session flaws, refresh-token rotation/reuse issues, OAuth/SSO linkage, DBSC downgrade, and cookie attribute misconfigurations.
Reviews web application security controls against OWASP-aligned risks for server-side apps handling user input, sessions, authentication, or access control.
Share bugs, ideas, or general feedback.
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
${CLAUDE_SKILL_DIR}/session.config.*, settings.py, application.yml)${CLAUDE_SKILL_DIR}/security-reports/**/auth/**, **/session/**, **/middleware/**, and framework-specific files (settings.py, application.yml, web.config).Date.now(), Math.random(), sequential IDs, or timestamp-based tokens (CWE-330).req.session.regenerate() in Express, request.session.cycle_key() in Django). Flag any login handler that sets authenticated = true without regenerating the session ID.HttpOnly (prevents XSS-based token theft), Secure (HTTPS-only transmission), SameSite=Lax|Strict (CSRF mitigation), and __Host-/__Secure- prefix usage. Flag any missing attribute.${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with per-finding severity, CWE mapping, vulnerable code snippet, and remediated code example.See ${CLAUDE_SKILL_DIR}/references/implementation.md for the detailed implementation guide. See ${CLAUDE_SKILL_DIR}/references/critical-findings.md for example vulnerability patterns with before/after code.
${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with findings by severity| Error | Cause | Solution |
|---|---|---|
No session handling code found in ${CLAUDE_SKILL_DIR}/ | Unusual file structure or framework | Search for framework-specific patterns; request explicit file paths |
| Unknown session framework | Custom or uncommon session library | Apply fundamental session security principles; note limited framework-specific guidance |
| Cannot analyze minified/compiled code | Production bundles instead of source | Request unminified source code; document limitation |
| Non-standard session implementation | Custom session management bypassing framework | Apply extra scrutiny; custom implementations are higher risk (CWE-384, CWE-613) |
| Session config in environment variables, not code | Externalized configuration | Request .env.example or deployment config documentation |
${CLAUDE_SKILL_DIR}/references/critical-findings.md -- example vulnerability patterns${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference