[Catalyst] Session id creation

[Tomas Doran]

On 6 Jun 2009, at 23:57, Bill Moseley wrote:

> In other words, it provides a way for users to generate their own
> session ids as long as it passes the validate_session_id method,
> which doesn't take much.

http://dev.catalyst.perl.org/repos/Catalyst/Catalyst-Plugin-Session/ 
0.00/trunk/t/live_session_fixation.t

I specifically wrote a test for this, however it's a test and not  
comprehensive, and I can't see without spending time to take a  
detailed look again if your case is proved or disproved by this test.

If what you're saying is true, then it's session fixation and fairly  
bad news - needs fixing.

Don't suppose you'd like to contribute a few more tests around here  
to prove or disprove the issue, as it's obviously on your mind?

Cheers
t0m