kmx wrote:
According to my tests against real application t0m is right and this
straightforward session fixation attack does not work.
On the other hand there exists (at least in my opinion) another sort of
session fixation issue in Catalyst application discussed here
http://rt.cpan.org/Public/Bug/Display.html?id=46318 - however I was not
able to convince Jayk that it is a real issue :)
I'm fairly convinced that we should at least give the user the option to
be extra paranoid if they want to, and we should add additional
documentation about potential issues.
I just haven't had time to work on any of this yet, it's somewhere on my
list - but if anyone else wants to volunteer patches, then they're very
welcome as always ;)
Cheers
t0m
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
