Session id fixation attack

anze
2006-04-01
2013-04-09
  • anze

    anze - 2006-04-01

    Hi!

    I was just wondering how come the auth4.inc doesn't do session_regenerate_id() on successful login? That would prevent session fixation attack. Would it break something to do so?

    Anze

     
    • Richard Archer

      Richard Archer - 2006-04-03

      I agree that it would be desirable to adopt the best-practice of regererating the session ID on login.

      I'd be happy to commit a patch to CVS if you post one here :)

      ...Richard.

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks