@robocoder opened this issue on August 23rd 2009

Session conflicts may arise.

Suggested remedies: - add Piwik_ prefix to session namespaces - set session name (default is PHPSESSID; ZF sets it to ZFSESSION); what if user has set it in .htaccess? - regenerate session ID at login/logout

@robocoder commented on September 8th 2009

In [1460], fixes #945 - Piwik sets the session.name to 'PIWIK_SESSID'; define('PIWIK_SESSION_NAME', ...) in bootstrap.php to override; session namespaces now prefixed by Piwik_. We regenerate session ID at login/logout to mitigate session fixation attacks.

This issue was closed on September 8th 2009
Powered by GitHub Issue Mirror