During a web application assessment, a penetration tester accesses the site unauthenticated and receives the...

This is a session fixation vulnerability because the application is reusing the same session identifier before and after authentication instead of issuing a new one upon successful login. In secure session management, the server should regenerate the session token after a user authenticates so that any pre-authenticated session identifier cannot be abused. If an attacker can force or predict a victim’s session ID before login, and the application keeps that same ID after authentication, the attacker may be able to hijack the authenticated session. That is the essence of session fixation. This is not JWT manipulation because there is no indication of token tampering, not cookie poisoning because the issue is not altered cookie content, and not a collision attack because no hash collision scenario is described. The flaw is improper session regeneration after authentication.