1 article with this tag
Session fixation makes a victim use an attacker-known session ID, then impersonates them after they log in with it. The real defense: regenerate the session ID on login (and on privilege change). Don't accept IDs from the URL, and harden cookies with HttpOnly/Secure/SameSite.