Description
We are currently using zk 5.0.10 and during veracode analysis, this scanner found this bug:
Type : Session Fixation
Description:
The application never invalidates user sessions, which can lead to session fixation attacks. As a result, the session
identifier stays the same before, during, and after a user has logged in or out. An attacker may attempt to force a user
into using a specific session identifier, then hijack the session once the user has logged in.
Recommendations:
Invalidate any existing session after the user has authenticated but before calling methods that establish the
UserPrincipal. Also, invalidate the session object when a user logs out, otherwise the session will remain valid on the
server.