@robocoder opened this Issue on August 23rd 2009 Contributor

Session conflicts may arise.

Suggested remedies:

  • add Piwik_ prefix to session namespaces
  • set session name (default is PHPSESSID; ZF sets it to ZFSESSION); what if user has set it in .htaccess?
  • regenerate session ID at login/logout
@robocoder commented on September 8th 2009 Contributor

In [1460], fixes #945 - Piwik sets the session.name to 'PIWIK_SESSID'; define('PIWIK_SESSIONNAME', ...) in bootstrap.php to override; session namespaces now prefixed by Piwik. We regenerate session ID at login/logout to mitigate session fixation attacks.

This Issue was closed on September 8th 2009
Powered by GitHub Issue Mirror