From f730d7bb0ac691153eacd80844bb530dca04e3cc Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Tue, 16 Oct 2018 09:11:32 +0300 Subject: [PATCH] another attempt to enforce session ID regeneration on login --- classes/handler/public.php | 4 +++- include/functions.php | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index 7cce7d71..de9c9684 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -503,7 +503,9 @@ class Handler_Public extends Handler { // start an empty session to deliver login error message @session_start(); - $_SESSION["login_error_msg"] = __("Incorrect username or password"); + if (!isset($_SESSION["login_error_msg"])) + $_SESSION["login_error_msg"] = __("Incorrect username or password"); + user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); } diff --git a/include/functions.php b/include/functions.php index a04a393e..5588590a 100755 --- a/include/functions.php +++ b/include/functions.php @@ -714,9 +714,11 @@ if ($user_id && !$check_only) { + /* if a session is started here there's a stale login cookie we need to clean */ + if (session_status() != PHP_SESSION_NONE) { - session_destroy(); - session_commit(); + $_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again"); + return false; } session_regenerate_id(true); -- 2.39.5