During a web application assessment you proxy traffic with Burp and note the server issues a Set-Cookie header containing PHPSESSID=abc123 on the public home page. After authenticating with valid credentials, the application keeps exactly the same cookie value and grants full user privileges without issuing a new token. From a session-management perspective, what vulnerability is this behavior demonstrating?
Session fixation
Weak session entropy that allows brute-force prediction
The server should invalidate any pre-login session identifier and generate a fresh, unpredictable value once the user is authenticated. Re-using the unauthenticated PHPSESSID after successful login lets an attacker pre-set or capture that identifier and later force or trick the victim to use it, resulting in the attacker controlling the victim's authenticated session. This weakness is known as session fixation. The other options describe different flaws: CSRF exploits trust in an existing session but does not rely on reusing a pre-login token; insecure direct object references involve insufficient authorization checks on resources; weak session entropy permits brute-force guessing of many IDs rather than accepting an attacker-supplied one.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Session Fixation?
Open an interactive chat with Bash
How is CSRF different from Session Fixation?
Open an interactive chat with Bash
How can servers mitigate Session Fixation vulnerabilities?
Open an interactive chat with Bash
What is Session Fixation?
Open an interactive chat with Bash
Why is it dangerous to reuse the same session ID after authentication?
Open an interactive chat with Bash
How can session fixation be mitigated?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .