When PL detects a stolen PL cookie, it invalidates all PL sessions for that user. It should also invalidate all open sessions for that user since there is no way to know which is the attacker's.

It would be great if it could also deliver a warning message to the user; look carefully into the session gymnastics that occurs.

Comments

bjaspan’s picture

Status: Active » Closed (fixed)

Fixed.