When a user switches from a user-less to anonymous session and from an anonymous to a registered user, the PHPSESSID cookie value is unchanged, leaving open a session fixation exploit.
In the course of vulnerability testing our parse-server backed, PHP website, we became aware of this. In crafting a remedy, it seemed most natural to put the fix into the parse-php-sdk where there is a single point to, I think, catch-all use cases.
When a user switches from a user-less to anonymous session and from an anonymous to a registered user, the PHPSESSID cookie value is unchanged, leaving open a session fixation exploit.
In the course of vulnerability testing our parse-server backed, PHP website, we became aware of this. In crafting a remedy, it seemed most natural to put the fix into the parse-php-sdk where there is a single point to, I think, catch-all use cases.
see: https://www.owasp.org/index.php/Session_fixation
Opening a pr to address this now.