Re: Joomla: Session hijacking vulnerability, CVE-2008-4122

[darkz.gsa () gmail com]

Yes, I can reproduce this behavior. The application should reinitialize the cookie after the login but instead it will 
keep the previous cookie. An interesting thing this is valid only for the login_module, the administrator login page 
does not automatically redirect to HTTPS by configuration.