I wonder what Session Fixation exploit possibilities still exist today in case the website does not change the Session-ID in a cookie after login other than the following:
- XSS
- MiTM
- open redirect vuln
We've encountered a customer website which has the issue and would like to design a PoC to exploit it.
