About
A session fixation attack 1) proceeds in three steps.
- First, the attacker transplants a session identifier from his or her user agent to the victim's user agent.
- Second, the victim uses that session identifier to interact with the server, possibly imbuing the session identifier with the user's credentials or confidential information.
- Third, the attacker uses the session identifier to interact with server directly, possibly obtaining the user's authority or confidential information.