Deprecated: Joomla\Input\Input implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /homepages/13/d380392445/htdocs/Jlive/libraries/vendor/joomla/input/src/Input.php on line 41

Deprecated: Return type of Joomla\Input\Input::count() should either be compatible with Countable::count(): int, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /homepages/13/d380392445/htdocs/Jlive/libraries/vendor/joomla/input/src/Input.php on line 170

Deprecated: KunenaControllerApplicationDisplay implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /homepages/13/d380392445/htdocs/Jlive/libraries/kunena/controller/application/display.php on line 21

Deprecated: preg_match_all(): Passing null to parameter #2 ($subject) of type string is deprecated in /homepages/13/d380392445/htdocs/Jlive/administrator/components/com_easyblog/includes/adsense/adsense.php on line 138
Session Fixation Protection - Macrotone Blogs
By Geoffrey Chapman on Thursday, 08 March 2012
Category: Joomla Hints and Tips

Session Fixation Protection

Came across an interesting article on Session Fixation Protection [requires registration].  In essence a session fixation is a vulnerability caused by incorrectly handling user sessions in a Web application. A user’s session is usually tracked by a cookie, which is assigned when the user visits the page with the Web application for the first time. The problem occurs when this cookie does not change for the duration of the browsing session; users authenticate and log out, but their session cookie remains the same. This is often the default behaviour of an application.

Whilst understanding the problem, I tend to wonder just how much of a problem it actually is in real life.

The only solution is correct coding of the Web application, always assigning a new cookie immediately after a user has authenticated on a site.

Leave Comments