Session backends should all refuse user-defined, non-existant IDs
|Reported by:||jdunck||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
DB session store refuses to use non-existant user-supplied session IDs. This is done in an attempt to avoid session fixation attacks.
Per George Sakkis on the mailing list, not all backends similarly refuse user-supplied IDs. File session apparently doesn't, for example.
All backends should be the same in this enforcement (or not).
Change History (10)
Changed 3 years ago by aaugustin
comment:8 Changed 3 years ago by aaugustin
- Needs tests unset
- Resolution set to needsinfo
- Status changed from new to closed