Vulnerability occurs when an application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set one context and then used in another. The most effective way to detect these vulnerabilities is to. enumerate all of the session variables used and in which context they are. valid. In practice this can only be effectively done via a source code review. All web servers, application servers, and web application environments are susceptible to session variable overloading.”]
Source: https://owasp.org/www-community/vulnerabilities/Session_Variable_Overloading