Session Fixation Vulnerability in /admin/loginc.php

[ghost]

/admin/loginc.php

include '../config.php';
if (!session_id()) {
    session_start();
}
$res = $db->select('setting', array('name' => 'admin'));
if ($_POST['password'] == $res[0]['value'] && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {
    $_SESSION['alogin'] = true;
    header('Location: index.php');
} else {
    header('Location: login.php?err=1');
}

Like Session Fixation Vulnerability in /loginc.php, the system does not regenerate a new session_id after the admin successfully logged in, which could lead to admin account takeover with the help of any XSS vulnerability in the same domain.