[Catalyst] Session id creation

Tomas Doran bobtfish at bobtfish.net
Wed Jun 10 09:26:36 GMT 2009

On 6 Jun 2009, at 23:57, Bill Moseley wrote:

> In other words, it provides a way for users to generate their own
> session ids as long as it passes the validate_session_id method,
> which doesn't take much.


I specifically wrote a test for this, however it's a test and not  
comprehensive, and I can't see without spending time to take a  
detailed look again if your case is proved or disproved by this test.

If what you're saying is true, then it's session fixation and fairly  
bad news - needs fixing.

Don't suppose you'd like to contribute a few more tests around here  
to prove or disprove the issue, as it's obviously on your mind?


More information about the Catalyst mailing list