CGISecurity Logo

What is a Session Fixation Attack?

“Session Fixation is an attack technique that forces a user’s session
ID to an explicit value. Depending on the functionality of the target
web site, a number of techniques can be utilized to “fix” the session
ID value. These techniques range from Cross-site Scripting exploits to
peppering the web site with previously made HTTP requests. After a
user’s session ID has been fixed, the attacker will wait for them to
login. Once the user does so, the attacker uses the predefined session
ID value to assume their online identity. ” – The Web Application Security Consortium Threat Classifications Project

Acrossecurity wrote the first paper describing the problem which can be found below.
http://www.acrossecurity.com/papers/session_fixation.pdf