From: Andrew Dolgov Date: Mon, 15 Oct 2018 12:47:50 +0000 (+0300) Subject: force regenerate session id on successful login, remove previous blank SID check X-Git-Tag: 18.12~59 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=65e98f40867862eb345676e23b633b9f52109d30;p=tt-rss.git force regenerate session id on successful login, remove previous blank SID check --- diff --git a/classes/handler/public.php b/classes/handler/public.php index e892a979..7cce7d71 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -476,8 +476,6 @@ class Handler_Public extends Handler { session_set_cookie_params(0); } - @session_start(); - if (authenticate_user($login, $password)) { $_POST["password"] = ""; @@ -501,6 +499,10 @@ class Handler_Public extends Handler { } } } else { + + // start an empty session to deliver login error message + @session_start(); + $_SESSION["login_error_msg"] = __("Incorrect username or password"); user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); } diff --git a/include/functions.php b/include/functions.php index d88e96dd..3cd21969 100755 --- a/include/functions.php +++ b/include/functions.php @@ -712,7 +712,14 @@ } if ($user_id && !$check_only) { - @session_start(); + + if (session_status() != PHP_SESSION_NONE) { + session_destroy(); + session_commit(); + } + + session_start(); + session_regenerate_id(true); $_SESSION["uid"] = $user_id; $_SESSION["version"] = VERSION_STATIC; diff --git a/include/sessions.php b/include/sessions.php index 2d17bfd8..f625cd16 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -160,9 +160,5 @@ if (!defined('NO_SESSION_AUTOSTART')) { if (isset($_COOKIE[session_name()])) { @session_start(); - - if (!$_SESSION['uid']) { - logout_user(); - } } }