The Session Fixation attack fixes an established session on the victims browser, so the attack starts before the user logs in. An attacker can trick a legitimate user to follow a link that has a session ID set into it. If the user follows the link then the attacker will be sent to the application in the cookie. After this attacker can hijack the session and compromise the account of the legitimate user with the help of the fixed session. The application must perform validation of all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters)”]
Source: https://gbhackers.com/web-application-attacks-part-2/

