diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 410d764c3da9cfcd146f9c9c77e93e6fb209374a..ad4f27a6d392bf763e48c63d3eea37093f7290fc 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -104,6 +104,16 @@ class SimpleSAML_Session {
 	private $associations = array();
 
 
+	/**
+	 * The authentication token.
+	 *
+	 * This token is used to prevent session fixation attacks.
+	 *
+	 * @var string|NULL
+	 */
+	private $authToken;
+
+
 	/**
 	 * private constructor restricts instantiaton to getInstance()
 	 */
@@ -360,6 +370,10 @@ class SimpleSAML_Session {
 		$this->authState = $authState;
 
 		$this->sessionstarted = time();
+
+		$this->authToken = SimpleSAML_Utilities::generateID();
+		$sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
+		$sessionHandler->setCookie('SimpleSAMLAuthToken', $this->authToken);
 	}
 
 
@@ -785,6 +799,17 @@ class SimpleSAML_Session {
 			return NULL;
 		}
 
+		if ($sessionData->authToken !== NULL) {
+			if (!isset($_COOKIE['SimpleSAMLAuthToken'])) {
+				SimpleSAML_Logger::warning('Missing AuthToken cookie.');
+				return NULL;
+			}
+			if ($_COOKIE['SimpleSAMLAuthToken'] !== $sessionData->authToken) {
+				SimpleSAML_Logger::warning('Invalid AuthToken cookie.');
+				return NULL;
+			}
+		}
+
 		return $sessionData;
 	}