Question 1: Why this is happening?
Your session is only bound to a session cookie, not to the IP or any browser details. This is entirely common - even Github does that. (Using additional properties to bind the session can have undesired consequences, e.g. it could lead to random logouts when a user updates their browser or changes their IP.)
Question 2: Probable way's for resolve this issue.
It's not a major security issue. Copying cookies from one browser to another requires access to a browser's cookie storage which an ordinary attacker doesn't have. If you still want to ensure that a user can't reuse their session in a different browser you could bind additional properties, e.g. invalidate a session as soon as the User-Agent
header changes.
Question 3: Is this even a session fixation vulnerability?
No, it's not. In a session fixation attack you force a known session ID on an (unauthenticated) victim. This ID remains valid after the victim logs in so that you can reuse it to be authenticated as the victim yourself. But without an additional vulnerability there is no way to inject the session cookie into the victim's browser in the first place. The OWASP page on it has some examples that show which possible preconditions can lead to a session fixation vulnerability.
Question 4: Should I report it to their bug bounty program?
Most likely it's out of scope. With the hordes of bug bounty hunters you have to expect that issues like these are already covered on high-profile sites and if they persist it's by design.
In some cases, I am able to login into second browser even after logout from first browser.
A logout should invalidate the current session but not necessarily terminate all other active sessions. Just because you log out from Github on your phone, you don't necessarily want to be logged out in your browser, too.
This demo shows on the example of Github that copying the same session cookie from one client to another is often permitted:
- Login on Github.
- Copy user session cookie
user_session
from the browser's cookie jar. (You can't do it with JS because the cookie is HttpOnly
.)
$ curl -b "user_session=[your session id]" https://github.com/
- You will find that the HTML response is still authenticated. (You should see your own username and your repositories in the code.)