| Topic: | Session fixation prevention now turned on by default |
| Severity/Risk: | Major |
| Versions affected: | 1.8.x and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21788 |
| Solution: | upgrade to 1.9.8 and confirm the enabling of session id regeneration |
Description:
Enabling of "Regenerate session id during login" setting is now strongly recommended for all production servers. It is now compatible with all official authentication plugins including mnet.