Comment 1 for bug 978896

The following output is from the owasp.pl tool of my test-suite [1].

thomas:~/test-suite> ./owasp.pl output=short openstack_horizon_lpd978896.ini

[...removed output for session_fixation_public()...]

    DBG:
OWASP_SM_003::session_fixation_private(http://test:80/auth/login/,
POST, method=Login&username=admin&password=openstack)
    DBG: 1. try to login with 'method=Login&username=eviled&password=eviled'
(attacker)
    DBG: OWASP_SM_003::session_fixation_private: cookie =
'sessionid=a917fb9e5c35b03b690aa24ed1815a16; Path=/'
    DBG: 2. try to login with 'method=Login&username=admin&password=openstack'
(victim)
    DBG: OWASP_SM_003::session_fixation_private: session cookie =
'sessionid=a917fb9e5c35b03b690aa24ed1815a16; Path=/'
    DBG: OWASP_SM_003::session_fixation_private: new cookie =
'sessionid=a917fb9e5c35b03b690aa24ed1815a16; Path=/'
    DBG: 3. compare cookie 'sessionid'
    DBG: OWASP_SM_003::session_fixation_private: logged out
=====> OWASP_SM_003::session_fixation_private: CWE-384 (Session Fixation): code
= 1 (msg = 'FAIL:Vulnerable to Session Fixation Attack by authenticated users
(http://test:80/auth/login/)')

2 tests in 2 secs.

[1] https://gitorious.org/test-suite/test-suite