On 6 Jun 2009, at 23:57, Bill Moseley wrote:
In other words, it provides a way for users to generate their own session ids as long as it passes the validate_session_id method, which doesn't take much.
http://dev.catalyst.perl.org/repos/Catalyst/Catalyst-Plugin-Session/ 0.00/trunk/t/live_session_fixation.t
I specifically wrote a test for this, however it's a test and not comprehensive, and I can't see without spending time to take a detailed look again if your case is proved or disproved by this test.
If what you're saying is true, then it's session fixation and fairly bad news - needs fixing.
Don't suppose you'd like to contribute a few more tests around here to prove or disprove the issue, as it's obviously on your mind?
Cheers t0m _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
