Security / Scenario
The Session That Never Rotated
The login handler authenticates the user but keeps the pre-login session id. Trace the fixation attack and fix it.
- Difficulty
- Hard
- Format
- Scenario
- Points
- 200
- Estimate
- 15 min
// MISSION BRIEF
Your Mission
A login handler checks the password and... keeps the same session id the user arrived with. If an attacker planted that id beforehand, they now share an authenticated session with the victim.
Read the handler and the attack trace, name the flaw and the aggravating weaknesses, and state the one-line fix and the test that proves it.
// FIRST CONTACT
Battle teaser
First artifact
Login handler (as shipped)
The core session-fixation flaw here:
- AAn XSS bug on the dashboard
- BThere is no rate limit on login
- CThe password hashing is weak
- DThe session id is not regenerated on authentication, so an id fixed before login stays valid after login
Answers, scoring, hints, and the full battle stay sealed.
// SKILL TAGS
securitysession-fixationsession-managementcookies