|
|
|
|
|
|
by Calzifer
505 days ago
|
|
|
https://en.wikipedia.org/wiki/Session_fixation In short, in at least one variation, the attacker is able to smuggle in a known (unauthenticated) session token into the victims browser. Once the victim logs in the session token is authenticated and known to the attacker. The easy countermeasure is to renew the session token on login and not reuse a previously unauthenticated session token. Or your application has no session at all before login. |
|
|