PHP - Session Fixation
A very popular attack that targets sessions is session fixation . The
primary reason behind its popularity is that it's the easiest method by
which an attacker can obtain a valid session identifier. As such, its
intended use is as a stepping-stone to a session hijacking attack,
impersonating a user by presenting the user's session identifier.
Session fixation is any approach that causes a victim to use a session
identifier chosen by an attacker. The simplest example is a link with
an embedded session identifier:
<a href="http://host/login.php?PHPSESSID=1234">Log In</a>
A victim who clicks this link will resume the session identified as 1234, and if the victim proceeds to log in, the attacker can hijack the victim's session to escalate his level of privilege.
There are a few variants of this attack, including some that use cookies for this same purpose. Luckily, the safeguard is simple, straightforward, and consistent. Whenever there is a change in the level of privilege, such as when a user logs in, regenerate the session identifier with session_regenerate_id( ):
This effectively prevents session fixation attacks by ensuring that any user who logs in (or otherwise escalates the privilege level in any way) is assigned a fresh, random session identifier.
United States : 
Unknown Browser
