Session tokens are assigned to users for tracking purposes. This means that when browsing an application as unauthenticated, a user is assigned a unique session ID, which is usually stored in a cookie. Application developers should always create a new session token after the user logs into the website. If this session token does not change, the application could be susceptible to a session fixation attack. It is the responsibility of web penetration testers to determine whether this token changes values from an unauthenticated state to an authenticated state.

Session fixation is present when application developers do not invalidate the unauthenticated session token, allowing the user to use the same one after authentication. This scenario allows an attacker with a stolen session token to masquerade as the user.