id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13478	Session backends should all refuse user-defined, non-existant IDs	Jeremy Dunck	nobody	"DB session store refuses to use non-existant user-supplied session IDs.  This is done in an attempt to avoid session fixation attacks.

Per George Sakkis on the mailing list, not all backends similarly refuse user-supplied IDs. File session apparently doesn't, for example.

All backends should be the same in this enforcement (or not)."	Cleanup/optimization	closed	contrib.sessions	1.1	Normal	needsinfo			Accepted	1	0	0	0	0	0