diff --git a/src/main/resources/lessons/session_fixation/documentation/SessionFixation_1.adoc b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_1.adoc
new file mode 100644
index 000000000..ccecb5816
--- /dev/null
+++ b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_1.adoc
@@ -0,0 +1,30 @@
+==== Introduction
+
+Session fixation is a security vulnerability that occurs when an attacker forces a user's session identifier (usually stored in a cookie) to be set to a value chosen by the attacker.
+This attack can result in the attacker being able to impersonate the victim's session and gain unauthorized access to their account.
+
+==== How session fixation works
+
+The following steps outline the process of a session fixation attack:
+
+- The attacker obtains a session identifier (SID) from a valid session, either by generating one or through some other means.
+
+- The attacker tricks the victim into clicking on a malicious link that includes the obtained SID.
+This link might be sent via email, social engineering, or another method.
+
+- When the victim clicks the malicious link, their browser uses the provided SID to identify the session.
+The attacker can then use the same SID to access the victim's session after they log in.
+
+- The attacker now has unauthorized access to the victim's account, effectively taking over their session.
+
+
+====  Implications and risks
+
+A successful session fixation attack can have serious consequences, including:
+
+- Unauthorized access to the victim's account and sensitive information.
+- Ability to perform actions on behalf of the victim.
+- Compromise of confidential data.
+- Damage to the victim's reputation and trust in the web application.
+
+
diff --git a/src/main/resources/lessons/session_fixation/documentation/SessionFixation_2.adoc b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_2.adoc
new file mode 100644
index 000000000..6401cb77a
--- /dev/null
+++ b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_2.adoc
@@ -0,0 +1,15 @@
+==== Preventing session fixation attacks
+
+Most modern web frameworks do a pretty decent job fixing the problem automatically.
+Please read up on your framework before.
+
+To defend against session fixation attacks, web developers can implement the following countermeasures:
+
+- Never trust an url parameter: Never pass session identifiers via URLs, as these can be easily manipulated.
+- Session regeneration: always change the session identifier upon significant events, such as login or privilege level change.
+- Session timeout: Implement a session timeout mechanism that automatically logs out inactive users after a specified period.
+This will help when an attacker sends an email to a victim with a link.
+This way the link containing the session-id is already timed out.
+- Random session identifiers: Generate session identifiers using a strong random number generator to make them difficult to guess or predict.
+- Cookie attributes: Set `secure` and `HttpOnly` attributes for cookies to prevent manipulation and unauthorized access.
+
diff --git a/src/main/resources/lessons/session_fixation/documentation/SessionFixation_3.adoc b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_3.adoc
new file mode 100644
index 000000000..32e947ee8
--- /dev/null
+++ b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_3.adoc
@@ -0,0 +1,17 @@
+==== Let's try
+
+Maybe WebGoat is vulnerable to a session fixation attack?
+Create a new account, for example `attacker` and login to WebGoat. Email yourself with the link and click the link and login to WebGoat.
+
+
+- Endpoint for logging in (POST)
+- Goal is to get /users/..../profile this one checks session id cookie
+- Email send to a specfic user should immediately login
+- XSS should set cookie and endpoint should pick it up.
+-
+
+Screen 1 is send email
+
+
+
+
diff --git a/src/main/resources/lessons/session_fixation/documentation/SessionFixation_4.adoc b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_4.adoc
new file mode 100644
index 000000000..da65a5732
--- /dev/null
+++ b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_4.adoc
@@ -0,0 +1,3 @@
+=== No longer hackable?
+
+Someone submitted a bug report and the developers made some improvements. Can you still hack them?
diff --git a/src/main/resources/lessons/session_fixation/documentation/SessionFixation_intro.adoc b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_intro.adoc
new file mode 100644
index 000000000..31d74cf22
--- /dev/null
+++ b/src/main/resources/lessons/session_fixation/documentation/SessionFixation_intro.adoc
@@ -0,0 +1,10 @@
+In this lesson, you will learn about a common web application vulnerability called "Session Fixation." Session fixation is an attack that allows an attacker to set a victim's session identifier, potentially giving them unauthorized access to the victim's account.
+We will explore how this attack works, its implications, and how to defend against it.
+
+Goals:
+
+By the end of this lesson, you will be able to:
+
+- Explain what a session fixation attack is and how it works.
+- Understand the potential risks and consequences of a successful session fixation attack.
+- Implement countermeasures to defend against session fixation attacks in a web application.