Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
I was just wondering how come the auth4.inc doesn't do session_regenerate_id() on successful login? That would prevent session fixation attack. Would it break something to do so?
I agree that it would be desirable to adopt the best-practice of regererating the session ID on login.
I'd be happy to commit a patch to CVS if you post one here :)