Session Fixation

Steps

• The attacker sets up a "trap session" on the target server, obtains a SID, maintains the SID by repeatedly sending requests referencing it to avoid idle session timeout.

• The attacker tries to transport the trap session ID to the users browser, thereby fixing his session. 
• Cookies have been predominantly used to store SID because of their security in comparison to URL arguments and hidden form fields. However, at the same time cookies also provide the most convenient way to exploiting session fixation vulnerabilities.
• According to RFC2965, a cookie can be set up only to allow access to either the issuing server or the issuing servers domain.

• Finally, the attacker will wait until the user logs in to the target server and use his seesion. After the user logins to the trap session and before he has logged out, the attacker then enter the trap session and assume the users identity.  

Defense

• Preventing logs in to a chosen session: Web applications must ignore any SID provided by the users browser at login but always generate a new session once the user is successfully authenticated.
• Binding the session ID to the browsers network address or the users SSL client certificate.
• Session destruction: Upon logging out or timeout, SID needs to be deleted not only on the browser but also on the server. logging out or timeout, must take place 
• Absolute session timeouts: This will prevent attackers from maintaining a trap session and the already entered users session for a long period of time.
• Session Fixation Vulnerability in ASP.NET

Reference

• "Session Fixation Vulnerability in Web-based Applications", By Mitja Kolsek - Acros Security, http://www.acrossecurity.com/papers/session_fixation.pdf.