Session Fixation

Tue, 24 Feb 2026 00:00:00 +0000

Session Fixation

Severity: High | CWE: CWE-384 OWASP: A07:2021 – Identification and Authentication Failures

What Is Session Fixation?

Session fixation occurs when an application does not issue a new session identifier after successful authentication. An attacker who can set or predict the victim’s pre-authentication session ID can then wait for the victim to log in and immediately reuse that same ID to gain authenticated access.

The classic scenario requires the attacker to be able to push a known session ID to the victim — via URL parameter, cookie injection, or subdomain cookie injection.

Session Puzzling / Session Variable Overloading

Tue, 24 Feb 2026 00:00:00 +0000

Session Puzzling / Session Variable Overloading

Severity: High | CWE: CWE-384, CWE-613 OWASP: A07:2021 – Identification and Authentication Failures

What Is Session Puzzling?

Session Puzzling (also called Session Variable Overloading) is a vulnerability where the same session variable is used for different purposes in different application contexts, and an attacker can exploit this reuse to bypass authentication or authorization controls.

The core issue: when the same key in the session store holds different semantic meaning depending on which workflow put it there, an attacker can use one workflow to set a value that satisfies the check in another workflow.

Session Attacks on MrAzoth

Session Fixation

Session Fixation

What Is Session Fixation?

Session Puzzling / Session Variable Overloading

Session Puzzling / Session Variable Overloading

What Is Session Puzzling?