Comment 3 for bug 978896

Exploitation is harder using cookies, see http://en.wikipedia.org/wiki/Cross-site_cooking

Someone an argue that the bug is in the browser of course, but nevertheless creating a new session cookie after login seems to be missing. Not sure if it is django's responsibility or if it is designed to be done by the dashboard.

Another attack vector can be a XSS attack, see
https://www.owasp.org/index.php/Session_fixation