In this post, I’ll share a real-world (very fresh) vulnerability involving improper session management, leading to cross-user session takeover. This bug was rejected by a bug bounty program — not because it was invalid, but because they didn’t understand the risk. Here’s what happened.

Let’s say you’re a curious security researcher, playing in scope, obeying all the rules, and just trying to see how the session management works on a certain financial platform which you invited before as a private tester.

You log in as User A in one tab. You grab the session cookie. Nothing weird so far.

Then, in another browser (or device), you inject that session cookie.

🎉 Boom — you’re now also User A, in two browsers. No logout, no OTP, just raw session love.

Now in Browser 1, you log out User A. Then you log in as User B — totally legit.

Go back to Browser 2, refresh…

You’re now User B, without ever logging in again. Same session cookie, same session ID, new user context. It’s like a session identity swap meet.