Question
Targeted reports trickle in: a few users find their account accessed by someone else right after they logged in via your SSO. No password was changed, no MFA bypassed. Your auth team finds the flaw: your app **does not rotate the session identifier on login** — it keeps the same session cookie a user had *before* authenticating. An attacker plants a known session id in the victim's browser (via a crafted link / a subdomain cookie), waits for the victim to log in, and then uses that same pre-known session id, now authenticated, from their own machine. Volume is tiny and victims are specific. How do you triage, contain, and fix this session-fixation issue?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.