#2 - Webtune App - Broken Authentication - Session cookie is not rotated after a users logs in

Accordings to this article:

The main idea behind a session fixation attack is that the attacker predetermines the session ID the victim will use. If the web application persists the authentication state of the victim in the session, the attacker can use that predetermined session ID to impersonate the victim after the victim logs in.

Before Login image

After Login image