-
Improvement
-
Resolution: Fixed
-
Critical
-
4.3.2
-
None
Two issues in one:
- when logging out, the session is invalidated, but somehow a session gets recreated with the same ID as previously (but session.isNew() is true) for the anonymous user (while there is no session for anonymous users if no session existed previously)
- when logging in, the existing session is not invalidated, and likewise, the same session ID is kept.
This behavior is seen as a threat by security inspecting systems. At the very least, we should indeed invalidate an existing session when logging in.
Acceptance criteria
- is duplicated by
-
MAGNOLIA-3556 Session Identifier Not Updated
- Closed