From 4ea8cf3e31287ecfd785e294416b4e4bb7a70eea Mon Sep 17 00:00:00 2001
From: Arnold Daniels <arnold@jasny.net>
Date: Sun, 19 Apr 2020 06:39:32 +0200
Subject: [PATCH] Update authentication.md

[skip ci]
---
 docs/authentication.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/authentication.md b/docs/authentication.md
index 186bb30..bd6d04f 100644
--- a/docs/authentication.md
+++ b/docs/authentication.md
@@ -78,6 +78,22 @@ $auth = (new Auth($levels, new AuthStorage()))
     ->withEventDispatcher(new EventDispatcher($listeners));
 ```
 
+#### Session fixation
+
+In a [session fixation attack](https://en.wikipedia.org/wiki/Session_fixation), an attacker gets hold of user's session id
+and keeps using it. In order to mitigate such an attack, the session id should be regenerated on login and the session
+should be destroyed on logout.
+
+```php
+$listeners = (new ListenerProvider())
+    ->withListener(function(Event\Login $login): void {
+        session_regenerate_id();
+    })
+    ->withListener(function(Event\Logout $logout): void {
+        session_destroy();
+    });
+```
+
 ### Recalc
 
 Recalculate the authz roles and store the current auth information in the session.