How to save application from session Fixation
First thing why all these things happens with all our application .Most of the Web application having some security issue like am going to discuss.
As we all know SESSION is a must use thing in modern web application.In PHP to use session we are using function called session_start();
session_start() creates a ID at the server side and stores that ID in the clients browser as cookie.
For example goto any site’s login page and check the PHPID of that site from browser’s cookie option.
Now if you have the accounts in that site then just login to that site and after successful login ,check the site’s PHPID. if it is same as previous PHPID then definetly you can hack that site.
In PHP there is function called session_regenerate_id(); which can change the session Id in the server as well as the session id in client’s Browser cookie
So after while a user completes its authentication with valid username/password and am guessing that you must be storing the userId in session variable ,So before storing it in session variable just write the session_regenerate_id() that will solve the session fixation problem.