Lessons:15Length:2.3 hours
Crs 14
  • Overview
  • Transcript

5.1 Session Fixation

Ok, so user Bob is logged into your application. His login details are stored into a session with id 1234567890. What would happen if somebody else created a cookie for your domain with his session ID in it? And then what if they visited your application? Exactly. The application would check session 1234567890 and think they are Bob, our logged in user. This is called session fixation, and in this lesson we see when it can occur and what you can do to fight it.