force regenerate session id on successful login, remove previous blank SID check

diff --git a/classes/handler/public.php b/classes/handler/public.php
index e892a9797003c05302acac45cef2f17e62acb9d2..7cce7d71b061d24f5bf1f93093b9b5173456e354 100755 (executable)
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -476,8 +476,6 @@ class Handler_Public extends Handler {
                                session_set_cookie_params(0);
                        }
 
-                       @session_start();
-
                        if (authenticate_user($login, $password)) {
                                $_POST["password"] = "";
 
@@ -501,6 +499,10 @@ class Handler_Public extends Handler {
                                        }
                                }
                        } else {
+
+                               // start an empty session to deliver login error message
+                               @session_start();
+
                                $_SESSION["login_error_msg"] = __("Incorrect username or password");
                                user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
                        }

diff --git a/include/functions.php b/include/functions.php
index d88e96dd600ce75b3f32a6fcbb4d4099cd05ce2d..3cd21969d27f90f3b86d509832b1c8bfb7d2f6fc 100755 (executable)
--- a/include/functions.php
+++ b/include/functions.php
@@ -712,7 +712,14 @@
                        }
 
                        if ($user_id && !$check_only) {
-                               @session_start();
+
+                               if (session_status() != PHP_SESSION_NONE) {
+                                       session_destroy();
+                                       session_commit();
+                               }
+
+                               session_start();
+                               session_regenerate_id(true);
 
                                $_SESSION["uid"] = $user_id;
                                $_SESSION["version"] = VERSION_STATIC;

diff --git a/include/sessions.php b/include/sessions.php
index 2d17bfd8e388363edef677662e8ac4db944649f2..f625cd16f59415f7c672662dffba84bc2afae88b 100644 (file)
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -160,9 +160,5 @@
        if (!defined('NO_SESSION_AUTOSTART')) {
                if (isset($_COOKIE[session_name()])) {
                        @session_start();
-
-                       if (!$_SESSION['uid']) {
-                               logout_user();
-                       }
                }
        }