Description

The cookie session doesn't change after a valid login which allow an attacker to hijack the user session by setting the user cookie for one known by the attacker.

Impact

Hijack a valid user session.

Recommendation

Invalidate the anonymous cookie and create a new one after a successful login.

Threat

Anonymous attacker from Internet.

Expected Remediation Time

⏱️ 120 minutes.

Requirements

Fixes