Security / Scenario

The Session That Never Rotated

The login handler authenticates the user but keeps the pre-login session id. Trace the fixation attack and fix it.

Difficulty
Hard
Format
Scenario
Points
200
Estimate
15 min

// MISSION BRIEF

Your Mission

A login handler checks the password and... keeps the same session id the user arrived with. If an attacker planted that id beforehand, they now share an authenticated session with the victim.

Read the handler and the attack trace, name the flaw and the aggravating weaknesses, and state the one-line fix and the test that proves it.

// FIRST CONTACT

Battle teaser

First artifact

Login handler (as shipped)

The core session-fixation flaw here:

  1. AAn XSS bug on the dashboard
  2. BThere is no rate limit on login
  3. CThe password hashing is weak
  4. DThe session id is not regenerated on authentication, so an id fixed before login stays valid after login
Answers, scoring, hints, and the full battle stay sealed.

// SKILL TAGS

securitysession-fixationsession-managementcookies