Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Session id fixation attack

anze
2006-04-01
2013-04-09
  • anze
    anze
    2006-04-01

    Hi!

    I was just wondering how come the auth4.inc doesn't do session_regenerate_id() on successful login? That would prevent session fixation attack. Would it break something to do so?

    Anze

     
    • Richard Archer
      Richard Archer
      2006-04-03

      I agree that it would be desirable to adopt the best-practice of regererating the session ID on login.

      I'd be happy to commit a patch to CVS if you post one here :)

      ...Richard.