I was just wondering how come the auth4.inc doesn't do session_regenerate_id() on successful login? That would prevent session fixation attack. Would it break something to do so?
I agree that it would be desirable to adopt the best-practice of regererating the session ID on login.
I'd be happy to commit a patch to CVS if you post one here :)
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.