Code Room
On-callHardoc-g372
Subject Account takeoverLevel Senior–Staff~40 minCommon in Security interviewsIndustries Software development, IT services, Technology

Question

Targeted reports trickle in: a few users find their account accessed by someone else right after they logged in via your SSO. No password was changed, no MFA bypassed. Your auth team finds the flaw: your app **does not rotate the session identifier on login** — it keeps the same session cookie a user had *before* authenticating. An attacker plants a known session id in the victim's browser (via a crafted link / a subdomain cookie), waits for the victim to log in, and then uses that same pre-known session id, now authenticated, from their own machine. Volume is tiny and victims are specific. How do you triage, contain, and fix this session-fixation issue?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.