Session fixation in Joomla 3.2

The support for Joomla 2.5 ended on December 31, 2014. Possible bugs in Joomla 2.5 will not be patched anymore. This forum has been closed. Please update your website to Joomla 3.x

Moderator: ooffick

Forum rules
Please use the official Bug Tracker to report a bug:
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 114
Joined: Sat Nov 04, 2006 1:39 pm
Location: Hyderabad, India

Session fixation in Joomla 3.2

Post by ryadavalli » Mon Sep 29, 2014 11:01 am

A security audit has flagged our Joomla 3.2 instance as "session fixable". They point to the fact that cookie value does not change before and after login.
While I noticed that this was an issue in 1.5.15 which was fixed in 1.5.16, I can also verify to the fact that cookie value does not change pre and post login by a registered user in Joomla 3.2. At the same time, I cannot believe that such an issue was left out in the open for so long in 3.2, but I could not find any documentation that tells me this issue does not exist in J3.2.
I request someone to give me some info about this. How is Joomla 3.2 handling session fixation issue?


Return to “Joomla! 2.5 Bug Reporting”