The application does not regenerate the session identifier after successful authentication, allowing an attacker to fixate a known session ID and then hijack the session after the victim logs in.
An attacker could gain full access to a victim's authenticated session, performing any action the victim is authorized to do, including accessing sensitive data and modifying account settings.
Regenerate the session identifier immediately after successful authentication. Invalidate old session IDs upon login. Implement session timeout and idle timeout policies. Bind sessions to client properties where feasible.