[SPAM] Re: [Catalyst] Session id creation

Tomas Doran bobtfish at bobtfish.net
Thu Jun 11 14:50:41 GMT 2009


kmx wrote:
> According to my tests against real application t0m is right and this
> straightforward session fixation attack does not work.
> 
> On the other hand there exists (at least in my opinion) another sort of
> session fixation issue in Catalyst application discussed here
> http://rt.cpan.org/Public/Bug/Display.html?id=46318 - however I was not
> able to convince Jayk that it is a real issue :)

I'm fairly convinced that we should at least give the user the option to 
be extra paranoid if they want to, and we should add additional 
documentation about potential issues.

I just haven't had time to work on any of this yet, it's somewhere on my 
list - but if anyone else wants to volunteer patches, then they're very 
  welcome as always ;)

Cheers
t0m



More information about the Catalyst mailing list