Case of Session Identifier not Updated
Background Rational AppScan is an automated web testing tool that can be used to produce reports of web application vulnerabilities. So we usually use it to ensure our apps well protected before releasing them to the wild internet. The problem The problem with detection tools is that it sometimes raises a false alarm - such as when it declared that session identifier not updated : [1 of 2] Session Identifier Not Updated Severity: High Test Type: Application Vulnerable URL: https://myinternalapp.com/application name/ Remediation Tasks: Do not accept externally created session identifiers Variant 1 of 1 [ID=26] The following may require user attention: My normal reaction, because the app is a Yii framework-based PHP application, is that I should add Yii::()-app->session->regenerateID() call during login action. Imagine my surprise that upon retesting using Rational AppScan, it spits errors like these : Stopping scan due to out of session detection I vag