Session Fixation is an attack that aims to get a valid user session. This attack exploits incorrect session management in a vulnerable web application.

For example, session data is encoded instead of being encrypted, ostensibly as a security measure. Or the application does not assign a new session ID when authenticating a user. Possible scenario of the attack consists of three stages:

An attacker establishes legitimate connection with the web server and gets a session ID.
This ID is injected as a parameter of URL http://example.com/login?sessionid="qwerty" and sent to a victim.
The victim follows the link and goes through the authentication procedure, as a result of which, the session identifier known to the attacker is set. Now the attacker has access to the data of the victim, requiring authorization.

Config files : Persistent authentication

DerScanner Severity Score

Do you want to fix Config files : Persistent authentication in your application?

See also