Session Cookie issue


We are working on a Grav CMS based web site for one of our client. The client IT has run pentests on our website before allowing it to be live. Unfortunately, our website didn’t successfully passed the pentests because mainly of a GRAV session fixation issue : « The application differentiates users by issuing a session cookie with a unique value. Unfortunately, the application does not issue a new session cookie and value to the user after a successful login. Instead, the user is forced to use the (old) session cookie issued before authentication. » The IT recommandation is to « invalidate any already existing session cookie when a user has logged-in. Further, make sure a new session cookie is assigned to the user after a successful authentication attempt is made in order to avoid session fixation attacks. ».

Is there any mean to correct the issue without hacking GRAV core? Indeed, we don’t want to loose further updates.

Thank you for your help!