• In a session fixation attack, the attacker tricks the user to access a genuine web server using an explicit session ID value
  • Attacker assumes the identity of the victim and exploits his credentials at the server
  1. Attacker logs on to the bank website using his credentials
  2. Web server sets a session ID on the attacker’s machine
  3. Attacker sends an email containing a link with a fix session ID
  4. User clicks on the link and is redirected to the bank website
  5. User logs into the server using his credentials and fixed session ID