Skip to content

Session Fixation Issue #413

New issue
New issue
Closed
#414
Closed
Session Fixation Issue#413
#414
@acinader

Description

@acinader
acinader
opened on Sep 29, 2018

When a user switches from a user-less to anonymous session and from an anonymous to a registered user, the PHPSESSID cookie value is unchanged, leaving open a session fixation exploit.

In the course of vulnerability testing our parse-server backed, PHP website, we became aware of this. In crafting a remedy, it seemed most natural to put the fix into the parse-php-sdk where there is a single point to, I think, catch-all use cases.

see: https://www.owasp.org/index.php/Session_fixation

Opening a pr to address this now.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions