If a web application does not change the session token of a user when he logs in an attacker may use this property for a session fixation attack. Hereby he tricks a victim into using a given session token to login. After the victim has logged in the attacker may use the known token to take over the victim’s session. This is a form of session hijacking.