The app issues a session token before login and never rotates it afterwards. Fix the session ID before the victim logs in and inherit their authenticated session.
