Security announcements

MSA-10-0009: Session fixation prevention now turned on by default

 
Picture of Petr Skoda
MSA-10-0009: Session fixation prevention now turned on by default
 
Topic: Session fixation prevention now turned on by default
Severity/Risk: Major
Versions affected: 1.8.x and <1.9.8
Reported by: Sascha Herzog
Issue no.: MDL-21788
Solution: upgrade to 1.9.8 and confirm the enabling of session id regeneration


Description:
Enabling of "Regenerate session id during login" setting is now strongly recommended for all production servers. It is now compatible with all official authentication plugins including mnet.