I see it kind of a "reverse session fixation" or "dangerous persistent sessions". An attacker can send a session cookie with any syntactially valid session ID to the server, and the server will spin up a brand new Session. Shameless plug: I wrote more about these vulnerabilities and workarounds in the Ethical hacking ASP.So I tried to find a way to remove the session on the server and none of the following (or a combination of them) works (Although content is cleared, the session itself remains active): Request. To prevent this attack you can create a Http Module which acts before the Session State Module on the pipeline and performs additional validation. NET: The authentication does not have a "session" on the server, so if a valid auth cookie is received by the server the authentication is considered to be successfully completed.
destroys all of the data associated with the current session.
There is one HTTP session object for each client in each application.
In order to maintain a mapping between a particular session and the appropriate session object, so that it can properly access information for the current session, OC4J generates a unique session ID for each session.
When there is concurrent requests, other connections may see sudden session data loss. Requests from Java Script and/or requests from URL links.
Although current session module does not accept empty session ID cookie, but immediate session deletion may result in empty session ID cookie due to client(browser) side race condition.