From 65e98f40867862eb345676e23b633b9f52109d30 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 15 Oct 2018 15:47:50 +0300 Subject: [PATCH] force regenerate session id on successful login, remove previous blank SID check --- classes/handler/public.php | 6 ++++-- include/functions.php | 9 ++++++++- include/sessions.php | 4 ---- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index e892a979..7cce7d71 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -476,8 +476,6 @@ class Handler_Public extends Handler { session_set_cookie_params(0); } - @session_start(); - if (authenticate_user($login, $password)) { $_POST["password"] = ""; @@ -501,6 +499,10 @@ class Handler_Public extends Handler { } } } else { + + // start an empty session to deliver login error message + @session_start(); + $_SESSION["login_error_msg"] = __("Incorrect username or password"); user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); } diff --git a/include/functions.php b/include/functions.php index d88e96dd..3cd21969 100755 --- a/include/functions.php +++ b/include/functions.php @@ -712,7 +712,14 @@ } if ($user_id && !$check_only) { - @session_start(); + + if (session_status() != PHP_SESSION_NONE) { + session_destroy(); + session_commit(); + } + + session_start(); + session_regenerate_id(true); $_SESSION["uid"] = $user_id; $_SESSION["version"] = VERSION_STATIC; diff --git a/include/sessions.php b/include/sessions.php index 2d17bfd8..f625cd16 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -160,9 +160,5 @@ if (!defined('NO_SESSION_AUTOSTART')) { if (isset($_COOKIE[session_name()])) { @session_start(); - - if (!$_SESSION['uid']) { - logout_user(); - } } } -- 2.39.5