ASP.NET session fixation

In short, a session fixation attack lets an attacker set her session identifier for another user. The result would be a session shared between an attacker and the victim. When the user interacts with the website sensitive information is added to the session. Since the user and the attacker shares the session ID, the changes will also be reflected on the attacker's end. Information stored in session might be disclosed in a web page, or it could be used to control access to protected resources. Either way, the attacker will gain access to information that should only be accessible to the user.

ASP.NET's session management is vulnerable to session fixation attacks, you should read the blog post Ramping up ASP.NET session security if you're unfamiliar with how these attacks work. Afterwards, you should return here and try the demo!

If you'd like to try out the session fixation attacks mentioned in the blog post, you'll find a demo prepared over at http://unsecured.nwebsec.com.

When you're done you can have a look at the authenticated session identifiers that solve the problem.