[SPAM] Re: [Catalyst] Session id creation
kmx
kmx at volny.cz
Wed Jun 10 10:57:29 GMT 2009
> http://dev.catalyst.perl.org/repos/Catalyst/Catalyst-Plugin-Session/0.00/trunk/t/live_session_fixation.t
>
>
> I specifically wrote a test for this, however it's a test and not
> comprehensive, and I can't see without spending time to take a
> detailed look again if your case is proved or disproved by this test.
>
> If what you're saying is true, then it's session fixation and fairly
> bad news - needs fixing.
>
According to my tests against real application t0m is right and this
straightforward session fixation attack does not work.
On the other hand there exists (at least in my opinion) another sort of
session fixation issue in Catalyst application discussed here
http://rt.cpan.org/Public/Bug/Display.html?id=46318 - however I was not
able to convince Jayk that it is a real issue :)
--
kmx
More information about the Catalyst
mailing list