Severity: LOW
Location: src/Controllers/AuthController.php:527-529
Bug: Session ID unchanged across unverified→verified boundary.
Fix: session_regenerate_id(true) before unsetting the pending key.
Status: open. Will reply with remediation details when resolved.
Resolved.
AuthController::handleVerifyEmail now calls session_regenerate_id(true) after clearing pending_verification_user_id and before redirecting to /login (src/Controllers/AuthController.php). Defence-in-depth hygiene at the unverified→verified state boundary.
Locking this thread.
We noticed you are visiting from a mobile device. We are glad you are here, but know that 6502ish is best experienced on the desktop. Some features are not easily used via mobile and your experience may vary from the full experience via desktop.