Session Fixation
Session fixation is possible when we are able to craft a request or a URL with an arbitrary session name (often matching a valid session).
URL/?param=some_session_ID => PHPSESSID=some_session_ID
It would be exploited in social engineering attacks. An attacker would send a link with a session name they picked. When the victim logs in, the hacker can use the session to access the victim account.
To prevent this attack π‘οΈ, it's often encouraged to issue a new session when a user get more privileges (guest=>logged=>admin).
π A large number of applications assign session IDs to every client.