When a user loads the home page of an application, it sets a session identifier, be it a cookie, token, or internal variable; if, once the user logs in to the application, this is when the user enters into a restricted area of the application that requires a username and password or other type of identification, this identifier is not changed, then the application may be vulnerable to session fixation.

A session fixation attack occurs when the attacker forces a session ID value into a valid user, and then this user logs in to the application and the ID provided by the attacker is not changed. This allows for the attacker to simply use the same session ID and hijack the user's session.

In this recipe, we will learn the process of a session fixation attack by using one of the applications in the vulnerable virtual machine vm_1.