Blood Bank Management System Session Fixation Vulnerability

A session fixation vulnerability has been identified in Blood Bank Management System version 1.0, specifically within the login.php file. This vulnerability allows an attacker to set or predict a user's session identifier before authentication. When the user logs in, the application retains the attacker-provided session ID instead of generating a new one. This behavior enables the attacker to hijack the authenticated session and gain unauthorized access to the user's account.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can impersonate a user by taking over their authenticated session.

Reproduction

To reproduce this vulnerability, first, observe the session ID assigned to the user before logging in. Then, an attacker can set a specific session ID (PHPSESSID) and, after the victim logs in, the application will use the attacker-supplied session ID, allowing the attacker to hijack the session.