Audits web app session management for vulnerabilities including fixation, ID generation, expiration, cookie attributes, storage, and invalidation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/session-security-checker:checking-session-securityThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
Audit session management implementations in web applications to identify vulnerabilities including session fixation (CWE-384), insufficient session expiration (CWE-613), and cleartext transmission of session tokens (CWE-319).
${CLAUDE_SKILL_DIR}/session.config.*, settings.py, application.yml)${CLAUDE_SKILL_DIR}/security-reports/**/auth/**, **/session/**, **/middleware/**, and framework-specific files (settings.py, application.yml, web.config).Date.now(), Math.random(), sequential IDs, or timestamp-based tokens (CWE-330).req.session.regenerate() in Express, request.session.cycle_key() in Django). Flag any login handler that sets authenticated = true without regenerating the session ID.HttpOnly (prevents XSS-based token theft), Secure (HTTPS-only transmission), SameSite=Lax|Strict (CSRF mitigation), and __Host-/__Secure- prefix usage. Flag any missing attribute.${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with per-finding severity, CWE mapping, vulnerable code snippet, and remediated code example.See ${CLAUDE_SKILL_DIR}/references/implementation.md for the detailed implementation guide. See ${CLAUDE_SKILL_DIR}/references/critical-findings.md for example vulnerability patterns with before/after code.
${CLAUDE_SKILL_DIR}/security-reports/session-security-YYYYMMDD.md with findings by severity| Error | Cause | Solution |
|---|---|---|
No session handling code found in ${CLAUDE_SKILL_DIR}/ | Unusual file structure or framework | Search for framework-specific patterns; request explicit file paths |
| Unknown session framework | Custom or uncommon session library | Apply fundamental session security principles; note limited framework-specific guidance |
| Cannot analyze minified/compiled code | Production bundles instead of source | Request unminified source code; document limitation |
| Non-standard session implementation | Custom session management bypassing framework | Apply extra scrutiny; custom implementations are higher risk (CWE-384, CWE-613) |
| Session config in environment variables, not code | Externalized configuration | Request .env.example or deployment config documentation |
${CLAUDE_SKILL_DIR}/references/critical-findings.md -- example vulnerability patterns${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference11plugins reuse this skill
First indexed Jul 10, 2026
Showing the 6 earliest of 11 plugins
npx claudepluginhub luxdevnet/claude-plus-lux --plugin session-security-checkerAudits web app session management for vulnerabilities including fixation, ID generation, expiration, cookie attributes, storage, and invalidation.
Validates session security configurations and provides guidance on authentication, input validation, and secure coding practices.
Executes OWASP WSTG OTG-SESS test cases to audit session token entropy, cookie security attributes, CSRF protection, session fixation, and logout completeness.