It's not the "PHPSESSID" parameter - instead it's the "XTCsid" parameter which is vulnerable to a session fixation attack. Workaround: ================ Update to xt:Commerce 3.0.4 SP 2.1