Topic: | Session fixation prevention now turned on by default |
Severity/Risk: | Major |
Versions affected: | 1.8.x and <1.9.8 |
Reported by: | Sascha Herzog |
Issue no.: | MDL-21788 |
Solution: | upgrade to 1.9.8 and confirm the enabling of session id regeneration |
Description:
Enabling of "Regenerate session id during login" setting is now strongly recommended for all production servers. It is now compatible with all official authentication plugins including mnet.