Showing results for 
Search instead for 
Did you mean: 

Session Fixation 2.3


Session Fixation 2.3

Hello! I'm having issues with customer sessions, they don't seem to be invalidated on logout and I can't find a way of doing so; I've tried plugins and observers to explicitly destroy the session without luck. I must be missing something. 


To explain further, take the following example:

1) Open Burp suite (or some proxy) and login as a customer
2) Navigate to My Profile page
3) Capture the post request, copy to clipboard, and drop it.

4) Logout from customer my account

5) In Burp, paste the request into the 'Repeater'

6) Change some name value in the repeater dialog, e.g. john smith => not john

7) Send the request, follow re-directions... 200! 

8) Login as user again and see name change.

I would expect 4) to invalidate the session and 7) to return a 403 or at least a 200 with an error because the session is no longer valid and isLoggedIn() should be false anyway. Is this happening in your installation?


Additionally, I am very confused by the following:

// In Magento\Customer\Controller\Account\EditPost controller...
public function execute()
   if ($this->session->isLoggedIn()){
         // We get here somehow.


Does anyone have experience with or can explain how Magento is handling sessions here?



Thanks in advance


Re: Session Fixation 2.3

Hello @john_plesner ,


I had this same problem few months back that when I was trying to logout the customer, and again I tried to access dashboard page, it was showing the previous customer name, but when I click on any link(page) from dashboard which was not cached, it was redirecting me to logout.

Please check this scenario first if this is occurring with you too, try to hard reload(ctrl + f5), go to different pages of customer.

and if this is occurring with you, update cache false for my dashboard page.

Problem Solved ? Click on 'Kudos' & Accept as Solution to encourage to write more answers !

Re: Session Fixation 2.3

Hi @gaurav_harsh1 


I appreciate you response and I apologise if I didn't explain correctly.


Unfortunately this is not the issue I am concerned with. The actual functionality of the site works correctly and always has. The concern is related to session security; if an attacker captures a user's session, they are able to use that session to submit forms even after the customer has logged out (i.e their session has ended). 


It seems that the session doesn't 'end' (become invalidated) as expected. Instead the same session ID can be used to submit forms.


Re: Session Fixation 2.3

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the