diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 79cb4ed32..1f0f0db0d 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -27,6 +27,7 @@
  - fixed #11976: Use Container URL in search gives user Permission Denied
  - fixed #11985: Search.pl should warn on bad assets
  - fixed #12008: Activity CleanLoginHistory is too slow
+ - fixed #12004: SSO operation vulnerable to session fixation attacks
 
 7.10.6
  - fixed #11974: Toolbar icons unclickable in Webkit using HTML5
diff --git a/docs/upgrades/upgrade_7.10.6-7.10.7.pl b/docs/upgrades/upgrade_7.10.6-7.10.7.pl
index 90847d0c2..f88dc9013 100644
--- a/docs/upgrades/upgrade_7.10.6-7.10.7.pl
+++ b/docs/upgrades/upgrade_7.10.6-7.10.7.pl
@@ -33,6 +33,7 @@ my $session = start(); # this line required
 # upgrade functions go here
 addEmailIndexToProfile( $session );
 addIndecesToUserLoginLog($session);
+addSSOOptionToConfigs($session);
 
 finish($session); # this line required
 
@@ -46,6 +47,15 @@ finish($session); # this line required
 #    print "DONE!\n" unless $quiet;
 #}
 
+#----------------------------------------------------------------------------
+# Add an index to the userProfileData table for email lookups
+sub addSSOOptionToConfigs {
+    my $session = shift;
+    print "\tAdding SSO flag to config file to enable the feature... " unless $quiet;
+    $session->config->set('enableSimpleSSO', 0);
+    print "DONE!\n" unless $quiet;
+}
+
 #----------------------------------------------------------------------------
 # Add an index to the userProfileData table for email lookups
 sub addEmailIndexToProfile {
diff --git a/etc/WebGUI.conf.original b/etc/WebGUI.conf.original
index c20e726d4..b10fd4141 100644
--- a/etc/WebGUI.conf.original
+++ b/etc/WebGUI.conf.original
@@ -1097,6 +1097,9 @@
 # An array of SPAM words.  Used in the Post and WikiPage to block spam by sending the asset directly
 # to the trash.
    "spamStopWords" : [
-   ]
+   ],
+
+# A flag to enable a very simple SSO mechanism using sessionIds.
+   "enableSimpleSSO" : 0
 
 }
diff --git a/lib/WebGUI/Operation/SSO.pm b/lib/WebGUI/Operation/SSO.pm
index 9075b3db0..564e15e14 100644
--- a/lib/WebGUI/Operation/SSO.pm
+++ b/lib/WebGUI/Operation/SSO.pm
@@ -26,12 +26,15 @@ TODO
 
 =head2 www_ssoViaSessionId
 
-TODO: DOCUMENT ME
+Allows a user to login as another user, by referencing that user's sessionId.  Requires that
+sessionId is passed as a form or URL parameter.  It does NOT duplicate the original user's session,
+it just switches you to that user.
 
 =cut
 
 sub www_ssoViaSessionId {
 	my $session = shift;
+    return undef unless $session->config->get('enableSimpleSSO');
 	my $sessionId = $session->form->get("sessionId");
 	if (defined $sessionId && $sessionId ne "") {
 		if ($sessionId eq $session->getId) {
@@ -41,7 +44,7 @@ sub www_ssoViaSessionId {
 			my ($userId) = $session->db->quickArray("select userId from userSession where sessionId=?",[$sessionId]);
 			if (defined $userId && $userId ne "") {
 				$session->var->end;
-				$session->var->start($userId, $sessionId);
+				$session->var->start($userId);
 			}
 		}
 	}