Session Fixation

Table of Contents


A session fixation attack 1) proceeds in three steps.

  • First, the attacker transplants a session identifier from his or her user agent to the victim's user agent.
  • Second, the victim uses that session identifier to interact with the server, possibly imbuing the session identifier with the user's credentials or confidential information.
  • Third, the attacker uses the session identifier to interact with server directly, possibly obtaining the user's authority or confidential information.

Powered by ComboStrap