I was testing a web application where cookies (session ID, session values) are the same for all times. Even after successful authentication takes place it remains unchanged. The session ID travels in the form of a HTTP cookie.
To investigate a session fixation vulnerability, I sent my colleague a link like http://yoursite.com/?SID=1209023
, because I thought the web site would automatically assign the victim session ID 1209023
for the victim's future browsing on the site. But it didn't work.
So my application isn't affected in this way but still has the same cookies. Is there any other way to test for the existence of a session fixation vulnerability in my application?