a485ee9c19210fe04e7b0b64fede865f385ada20
diff --git a/src/c32_session.test.ts b/src/c32_session.test.ts
index 418e48dd25d55b651cd3a8b79fcc1a2add286d1e..e9464075dd8614ad961001127324db98e5ba7547 100644
--- a/src/c32_session.test.ts
+++ b/src/c32_session.test.ts
@@ -143,7 +143,13 @@ describe("c32_session — signSession / verifySession round-trip", () => {
 
   test("verifySession rejects a cookie with a forged signature", async () => {
     const cookie = await signSession("eve");
-    const tampered = cookie.replace(/.$/, "0");
+    // Flip the LAST sig char to something *guaranteed* different —
+    // a fixed `replace(/.$/, "0")` collides when the original char is
+    // already "0" (~1 in 16 runs). Detect the original and flip to
+    // a hex digit it can never be.
+    const lastChar = cookie.slice(-1);
+    const tampered = cookie.slice(0, -1) + (lastChar === "f" ? "0" : "f");
+    expect(tampered).not.toBe(cookie);
     const result = await verifySession(tampered);
     expect(result).toBeNull();
   });