Secure Legion Labs
Labs / Authentication / Session Fixation

Broken Authentication Lab

Session Fixation

This room simulates a portal that accepts a client-supplied session identifier before login and never rotates it after authentication. Your goal is to prove that a chosen session value survives login and becomes the authenticated session.

ObjectiveCarry a chosen session into authShow that a pre-login session value stays valid after the user is authenticated.
DifficultyMediumLess about guessing secrets, more about spotting broken session lifecycle behavior.
FlagUnlock on fixation successThe flag appears once the server accepts and preserves the attacker-controlled session.
Flow Review

What to pay attention to

  • StepSend your own session value
  • StepAuthenticate normally
  • GoalObserve whether the session changes
Hint: A secure login flow should not let an attacker choose the same session identifier that remains active after authentication.
Broken Logic

What the application gets wrong

The portal lets the client provide a session token before login and simply binds the user to that same token after successful authentication.

session = request.sessionId || issueGuestSession()
if (validCredentials(user, pass)) {
  session.user = user
  return session
}
// missing rotateSessionId()
Login Console

Authenticate with a chosen session

Set a session token, send a login request, and compare the pre-login and post-login identifiers.

Current request: POST /api/session/login
{ "status": "idle" }
Observed note: Support onboarding notes mention that temporary guest sessions often begin with a recognizable internal prefix.
Authenticated session preview
Session Output

Rendered result

The critical question is whether the post-login session is freshly issued or whether the attacker-chosen identifier is still active.

No session established.

Status: waiting for a login request.

Flag Unlock

Challenge flag

The flag appears after the portal proves it kept the attacker-controlled session after login.

Flag:
Submit Flag

Validate completion

Submit the unlocked flag to complete the session fixation room.

Flag is locked until the chosen session survives authentication.

Execution Path

How the fixation works here

1. Choose pre-auth session

The attacker supplies a predictable session before the victim authenticates.

2. Victim logs in

The portal validates credentials but does not rotate the session identifier.

3. Attacker keeps same session

The chosen session becomes the authenticated token and can be replayed.