The session fixation vulnerability stems from the lack of session invalidation during authentication. The commit diffs (0189975, 1f44674, 2abac31) show the patched version adds session.invalidate() and creates a new session in createSession. The original vulnerable code in LoginHandler.java's createSession method only set attributes on the existing session without invalidation, letting attackers reuse pre-established sessions. The test case added in LoginHandlerTest.java verifies session invalidation occurs, confirming this was the vulnerable function.