[&] What is session hijacking in the context of web application security?
- Stealing a user's session ID to impersonate them -- Correct
- Guessing a user's password to gain access
- Redirecting a user to a phishing site
- Intercepting data packets during a user's session

[&] Which technique is commonly used to intercept a session ID during session hijacking?
- Cross-site scripting -- Correct
- SQL injection
- Data encryption
- URL manipulation

[&] What is a key indicator that a web application might be vulnerable to session fixation?
- Session IDs are stored in domain cookies.
- Session IDs have a numerical format.
- Session IDs are logged with user details.
- Session IDs can be set through URL parameters. -- Correct

[&] How does session fixation exploit a web application vulnerability?
- By tricking a user into logging in with a known session ID -- Correct
- By using cross-site scripting to gather credentials
- By injecting malware into the server
- By avoiding the session timeout feature

[&] What is the main difference between session hijacking and session fixation?
- Session hijacking requires user intervention; session fixation does not.
- Session hijacking uses cookies; session fixation uses URLs.
- Session hijacking is more harmful than session fixation.
- Session hijacking occurs after authentication; session fixation occurs before. -- Correct

[&] Why is it critical for web applications to regenerate session IDs upon user login?
- To prevent session fixation attacks -- Correct
- To improve server performance
- To ensure user disconnection
- To reset user preferences