Demonstrating ASP.NET session fixation

This demo shows ASP.NET session fixation in practice. The steps are pretty straightforward:

  1. Log in as the attacker.
  2. Fix victim's session.
  3. Wait for the victim to log in and populate the (now) shared session with the victim's data.
  4. Have a look at the victim's session data.

Are you ready? Then start the attack, you'll have to log in if you haven't already.

You can also learn more about how it works.