From: Andrew Dolgov Date: Tue, 16 Oct 2018 06:11:32 +0000 (+0300) Subject: another attempt to enforce session ID regeneration on login X-Git-Tag: 18.12~55 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=f730d7bb0ac691153eacd80844bb530dca04e3cc;p=tt-rss.git another attempt to enforce session ID regeneration on login --- diff --git a/classes/handler/public.php b/classes/handler/public.php index 7cce7d71..de9c9684 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -503,7 +503,9 @@ class Handler_Public extends Handler { // start an empty session to deliver login error message @session_start(); - $_SESSION["login_error_msg"] = __("Incorrect username or password"); + if (!isset($_SESSION["login_error_msg"])) + $_SESSION["login_error_msg"] = __("Incorrect username or password"); + user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); } diff --git a/include/functions.php b/include/functions.php index a04a393e..5588590a 100755 --- a/include/functions.php +++ b/include/functions.php @@ -714,9 +714,11 @@ if ($user_id && !$check_only) { + /* if a session is started here there's a stale login cookie we need to clean */ + if (session_status() != PHP_SESSION_NONE) { - session_destroy(); - session_commit(); + $_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again"); + return false; } session_regenerate_id(true);