Zend-Session session validation vulnerability
Zend\Session session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager): $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, …