Abstract: Session certification is a common identity recognition mechanism of dynamic website. Most websites use this mechanism to prevent unauthorized access. If the user is not authenticated, then browse to a restricted access page, the site can't read legitimate session_id from the HTTP packet, illegal visitors will be redirected to the login page. Hacker use Session attack to capture the victim's session id, and login to the site by this value. Finally, he can get the victim's identity. If victim is an administrator, then hacker can modify the website data, even plant Trojan, leading to greater harm. It is a serious threat to the security of information network. The research of session attack and investigation method is important to forensic. The key to the successful implementation of session attack is to obtain session_id of legitimate users. Research group found no relevant research results about clue survey area of session spoofing attack.In this paper, three methods to capture session_id are studied such as switch MAC address table "aging" phenomenon, MAC-PORT attack and XSS attack. Investigation method of session attack is also studied.

Key words: session, MAC-PORT, Referer, HOST