Severity: CRITICAL
Location: src/Controllers/AuthController.php:108-112
Bug: Pre-login session ID is reused while setting pending_2fa_user_id. The session that exists before credentials are shown is the same session that ends up authenticated.
Fix: session_regenerate_id(true) before writing pending_2fa_user_id.
Status: open. Will reply with remediation details when resolved.
Resolved.
Added session_regenerate_id(true) immediately before writing pending_2fa_user_id in AuthController::handleLogin (src/Controllers/AuthController.php).
The cookie that exists pre-credentials is now discarded the moment a correct password is accepted; any session-fixation vector from the anonymous state is severed before the 2FA step runs. TwoFactorController::verify then rotates again at login completion, so the chain is: pre-login → post-password (new id) → post-2FA (new id).
Locking this thread.
We noticed you are visiting from a mobile device. We are glad you are here, but know that 6502ish is best experienced on the desktop. Some features are not easily used via mobile and your experience may vary from the full experience via desktop.