Session Fixation

Session fixation occurs when an application does not create a fresh session after login or allows attackers to control a user’s session identifier. If the victim authenticates using that session, the attacker may reuse the same session to gain unauthorized access. Strong session regeneration, secure cookies, proper logout handling, and session invalidation are key controls to prevent session fixation.