[SPAM] Re: [Catalyst] Session id creation
Tomas Doran
bobtfish at bobtfish.net
Thu Jun 11 14:50:41 GMT 2009
kmx wrote:
> According to my tests against real application t0m is right and this
> straightforward session fixation attack does not work.
>
> On the other hand there exists (at least in my opinion) another sort of
> session fixation issue in Catalyst application discussed here
> http://rt.cpan.org/Public/Bug/Display.html?id=46318 - however I was not
> able to convince Jayk that it is a real issue :)
I'm fairly convinced that we should at least give the user the option to
be extra paranoid if they want to, and we should add additional
documentation about potential issues.
I just haven't had time to work on any of this yet, it's somewhere on my
list - but if anyone else wants to volunteer patches, then they're very
welcome as always ;)
Cheers
t0m
More information about the Catalyst
mailing list