CtrlK
BlogDocsLog inGet started
Tessl Logo

checking-session-security

This skill enables Claude to check session security implementations within a codebase. It analyzes session management practices to identify potential vulnerabilities. Use this skill when a user requests to "check session security", "audit session handling", "review session implementation", or asks about "session security best practices" in their code. It helps identify issues like insecure session IDs, lack of proper session expiration, or insufficient protection against session fixation attacks. This skill leverages the session-security-checker plugin.

Install with Tessl CLI

npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill checking-session-security
What are skills?

91

1.02x

Quality

60%

Does it follow best practices?

Impact

97%

1.02x

Average score across 9 eval scenarios

Optimize this skill with Tessl

npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/session-security-checker/skills/session-security-checker/SKILL.md
SKILL.md
Review
Evals

Evaluation results

90%

-5%

Login Flow Security Audit

Session fixation detection

Criteria
Without context
With context

Session fixation identified

100%

100%

Regeneration recommendation

100%

100%

Weak secret key flagged

100%

100%

Secure session ID recommended

100%

100%

Missing session expiration

100%

100%

Expiration remediation

100%

100%

Input validation missing

50%

0%

Session hijacking risk linked

100%

100%

Report has vulnerability listing

100%

100%

Report has remediation steps

100%

100%

Without context: $0.2440 · 3m 8s · 13 turns · 14 in / 4,081 out tokens

With context: $0.5180 · 3m 5s · 26 turns · 477 in / 7,592 out tokens

95%

Session Handling Review for Internal HR Portal

Session expiration analysis

Criteria
Without context
With context

Missing session timeout

100%

100%

Specific timeout value suggested

100%

100%

Unauthorized access risk stated

100%

100%

httpOnly flag missing

100%

100%

Secure cookie flag missing

100%

100%

Session fixation risk noted

100%

100%

Weak secret key flagged

100%

100%

Input validation absent

0%

0%

Report has vulnerability listing

100%

100%

Remediation steps provided

100%

100%

Without context: $0.2304 · 2m 12s · 9 turns · 10 in / 4,535 out tokens

With context: $0.4998 · 4m 24s · 23 turns · 23 in / 7,494 out tokens

100%

Security Review for Customer-Facing API Authentication

Comprehensive session security audit

Criteria
Without context
With context

Weak session ID algorithm

100%

100%

Predictable token inputs

100%

100%

Strong random session ID recommended

100%

100%

Input validation issue identified

100%

100%

Session hijacking risk stated

100%

100%

Missing session expiration

100%

100%

Session fixation noted

100%

100%

Report enumerates all vulnerabilities

100%

100%

Per-vulnerability remediation

100%

100%

Without context: $0.2901 · 2m 33s · 9 turns · 10 in / 5,866 out tokens

With context: $0.4805 · 5m 22s · 21 turns · 54 in / 7,589 out tokens

100%

10%

Security Review for PHP E-Commerce Checkout Portal

PHP session security audit

Criteria
Without context
With context

Session fixation identified

100%

100%

Regeneration recommendation

100%

100%

httpOnly flag missing

100%

100%

Secure flag missing

100%

100%

SameSite attribute insecure

100%

100%

Missing session expiration

0%

100%

Input validation absent

100%

100%

Session hijacking risk linked

100%

100%

Report has vulnerability listing

100%

100%

Per-vulnerability remediation

100%

100%

Without context: $0.2503 · 3m · 11 turns · 12 in / 5,235 out tokens

With context: $0.4276 · 5m 1s · 22 turns · 55 in / 6,154 out tokens

100%

Session Security Review for Node.js SaaS API

Multi-file codebase session analysis

Criteria
Without context
With context

Multi-file analysis

100%

100%

Weak secret key flagged

100%

100%

httpOnly flag missing

100%

100%

Secure flag missing

100%

100%

Missing session expiration

100%

100%

Session fixation identified

100%

100%

Input validation absent

100%

100%

Expiration recommendation specific

100%

100%

Report has vulnerability listing

100%

100%

Per-vulnerability remediation

100%

100%

Without context: $0.2431 · 2m 54s · 7 turns · 8 in / 5,229 out tokens

With context: $0.4164 · 4m 26s · 19 turns · 52 in / 6,363 out tokens

97%

-3%

Session Security Assessment for Django Healthcare Portal

Django session security review

Criteria
Without context
With context

COOKIE_SECURE flag

100%

100%

COOKIE_HTTPONLY flag

100%

100%

COOKIE_SAMESITE setting

100%

100%

Missing session timeout

100%

100%

Specific timeout recommended

100%

100%

Session fixation or cycle missing

100%

100%

Input validation absent

100%

70%

Session hijacking risk stated

100%

100%

Report has vulnerability listing

100%

100%

Per-vulnerability remediation

100%

100%

Without context: $0.2265 · 1m 42s · 7 turns · 8 in / 4,721 out tokens

With context: $0.4322 · 3m 55s · 21 turns · 311 in / 6,286 out tokens

96%

4%

Session Token Audit for Legacy Node.js Service

Session ID strength analysis

Criteria
Without context
With context

Identifies Math.random usage

100%

100%

Identifies sequential/predictable IDs

100%

100%

Recommends crypto RNG

100%

100%

Identifies insufficient ID length

100%

70%

Report includes remediation steps

100%

100%

Session fixation check

0%

87%

Session expiration check

100%

100%

Input validation check

100%

100%

Secure cookie flags

100%

100%

Structured report format

100%

100%

Without context: $0.3215 · 4m 10s · 16 turns · 17 in / 5,290 out tokens

With context: $0.4822 · 5m 19s · 23 turns · 23 in / 7,493 out tokens

97%

4%

Security Review: User Portal Session Handling

Input validation for session hijacking

Criteria
Without context
With context

Identifies unvalidated session input

100%

100%

Identifies session token in URL

100%

100%

Remediation for input validation

100%

100%

Session fixation finding

100%

100%

Session expiration finding

100%

100%

Secure session ID recommendation

70%

70%

Cookie security flags

50%

100%

Identifies privilege escalation risk

100%

100%

Report structure

100%

100%

Actionable remediation detail

100%

100%

Without context: $0.2486 · 2m 30s · 10 turns · 11 in / 4,812 out tokens

With context: $0.4601 · 4m 34s · 22 turns · 55 in / 6,213 out tokens

100%

Session Security Assessment for Healthcare Portal

Session security report with remediation

Criteria
Without context
With context

Identifies custom session ID generation

100%

100%

Flags non-cryptographic randomness

100%

100%

Recommends SecureRandom or container sessions

100%

100%

Identifies missing session expiration

100%

100%

Remediation for expiration

100%

100%

Identifies session fixation

100%

100%

Remediation for session fixation

100%

100%

Covers all three vulnerability categories

100%

100%

Input validation coverage

100%

100%

Report structure with findings and remediation

100%

100%

Without context: $0.2068 · 1m 48s · 8 turns · 9 in / 4,764 out tokens

With context: $0.4435 · 4m 59s · 23 turns · 23 in / 6,943 out tokens

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Login Flow Security AuditSession Handling Review for Internal HR PortalSecurity Review for Customer-Facing API AuthenticationSecurity Review for PHP E-Commerce Checkout PortalSession Security Review for Node.js SaaS APISession Security Assessment for Django Healthcare PortalSession Token Audit for Legacy Node.js ServiceSecurity Review: User Portal Session HandlingSession Security Assessment for Healthcare Portal

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill