Invalidating any existing session
If multiple applications reside on the same top level domain, such as bank.and recipes.example.com, a vulnerability in one application can allow an attacker to set a cookie with a fixed session identifier that will be used in all interactions with any application on the domain .Example 2The following example shows a snippet of code from a J2EE web application where the application authenticates users with a direct post to the Phase: Architecture and Design For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie.
Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked.
is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session. The application or container uses predictable session identifiers.
In the generic exploit of session fixation vulnerabilities, an creates a new session on a web application and records the associated session identifier.
Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular.
The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above.Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.