Java : Session fixation

Session Fixation is an attack that aims to get a valid user session. This attack exploits incorrect session management in a vulnerable web application.

For example, session data is encoded instead of being encrypted, ostensibly as a security measure. Or the application does not assign a new session ID when authenticating a user. Possible scenario of the attack consists of three stages:

1. An attacker establishes legitimate connection with the web server and gets a session ID.
2. This ID is injected as a parameter of URL http://example.com/login?sessionid="qwerty" and sent to a victim.
3. The victim follows the link and goes through the authentication procedure, as a result of which, the session identifier known to the attacker is set. Now the attacker has access to the data of the victim, requiring authorization.