CDA: use different cookies for each protected vhost instead of one for all
In a recent security audit of our LL::NG platform, the expert pointed out an issue with the fact that all the virtual host are protected with the same session id/cookie. So, if someone steal the cookie, he could access all the applications the cookie-owner user can access. He suggests to deal with secondary session ids/cookie to limit the impact of stealing a cookie.
Does this sound to you ? Is this achievable ?