In which phase does the attacker wait for the victim to log in to the target web server using the trap session ID and then take over the session?

• A. Entrance phase
• B. Session set-up phase
• C. Fixation phase
• D. Session Donation Attack

Answer: (A)

Session fixation happens when an attacker fixes a known session identifier before the user logs in, so after authentication the attacker can take over the session using that same ID. In this scenario, the attacker gives or causes the victim to use a trap session ID and waits for the victim to log in. Once the login occurs, the attacker can reuse that same session ID to access the now-authenticated session, effectively taking over the session. That moment—the attacker leveraging a pre-set, known session ID after login to hijack the session—is the fixation phase. Defenses include regenerating the session ID after authentication and binding the session to the user to prevent reuse of a pre-known ID.