Update authentication.md

[skip ci]
jasny · Apr 19, 2020 · 4ea8cf3 · 4ea8cf3
1 parent 2e75f94
commit 4ea8cf3
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -78,6 +78,22 @@ $auth = (new Auth($levels, new AuthStorage()))
     ->withEventDispatcher(new EventDispatcher($listeners));
 ```
 
+#### Session fixation
+
+In a [session fixation attack](https://en.wikipedia.org/wiki/Session_fixation), an attacker gets hold of user's session id
+and keeps using it. In order to mitigate such an attack, the session id should be regenerated on login and the session
+should be destroyed on logout.
+
+```php
+$listeners = (new ListenerProvider())
+    ->withListener(function(Event\Login $login): void {
+        session_regenerate_id();
+    })
+    ->withListener(function(Event\Logout $logout): void {
+        session_destroy();
+    });
+```
+
 ### Recalc
 
 Recalculate the authz roles and store the current auth information in the session.