Question regarding the examples
lucapivato opened this issue · comments
https://owasp.org/www-community/attacks/Session_fixation
Example 2:
http://website.kom/<script>document.cookie=”sessionid=abcd”;</script>
Example 3:
http://website.kon/<meta http-equiv=Set-Cookie content=”sessionid=abcd”>
Are these serious examples?
Well as you can tell from the big yellow banner that content was auto-migrated and not yet reviewed.
Looking at https://wiki.owasp.org/index.php?title=Session_fixation&action=history it seems this hadn't been edited since 2014.
Given the difficult English and lack of consistency in domain names, etc. I would guess that it's a community contribution that not much thought was put into and was never reviewed. While the examples might have been realistic in the early 2000s (even that's a stretch) I'd agree they definitely aren't now.
Feel free to submit a PR revising the entire page. (Source: https://github.com/OWASP/www-community/blob/master/pages/attacks/Session_fixation.md)