Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks.
Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.
Users of Catalyst::Plugin::Session or Catalyst::Plugin::Starch should call the change_session_id method after authentication.
Users of Plack::Middleware::Session should set the change_id flag after logging in.
Users may also apply the linked patch.
Users should upgrade to version 0.10_027 or later.