Bug #32193 for CGI-Application-Plugin-Authentication: Support for generating new session id

The book /Innocent Code/ (<URL:http://innocentcode.thathost.com/>) stresses the importance of generating new session ID's after authentication. This is due to a security hazard: If a person accessses a page using authentication and sessions (say http://example.com/example.cgi), a session id will be generated for him. If he now tricks a victim to access the page url with this session id in the query (ex: http://example.com/example.cgi?CGISESSID=secretid), he might now have given the victim a valid session id, and if the victim logs in, the attacker will hold an authenticated session id. The fix is simple: When a user's credentials is verified, a new session should be generated as a copy of the old before it is marked as authenticated. I request: * a renew method in CAP::Session that will create a new session as a copy of the existing, replace the session object, and generate a new cookie header. * a config option for CAP::Store::Session to use this method whenever a user logs in. This could be implemented so that whenever save is called with a given key, a new session should be generated. or something similar. -- Robert Bauck Hamar USIT/SAPP/GT - Cerebrum http://www.uio.no/sok?person=hamar