You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user switches from a user-less to anonymous session and from an anonymous to a registered user, the PHPSESSID cookie value is unchanged, leaving open a session fixation exploit.
In the course of vulnerability testing our parse-server backed, PHP website, we became aware of this. In crafting a remedy, it seemed most natural to put the fix into the parse-php-sdk where there is a single point to, I think, catch-all use cases.
When a user switches from a user-less to anonymous session and from an anonymous to a registered user, the PHPSESSID cookie value is unchanged, leaving open a session fixation exploit.
In the course of vulnerability testing our parse-server backed, PHP website, we became aware of this. In crafting a remedy, it seemed most natural to put the fix into the parse-php-sdk where there is a single point to, I think, catch-all use cases.
see: https://www.owasp.org/index.php/Session_fixation
Opening a pr to address this now.
The text was updated successfully, but these errors were encountered: