This web application is meant to demonstrate harder session management. The initial goal is to learn how to properly set up Burp Suite, but feel free to experiment, contribute, and make it harder:)

Credentials are hardcoded:

USERNAME = 'admin'
PASSWORD = 'password'
SECRET_KEY = 'secret123'

Concerning vulnerabilities, the POST to /hi2 results in stored XSS which can be access on /names.

If you are interested, check out a deep dive into topics of Session Management and Session Macros in Burp Suite