From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 15 Oct 2018 12:47:50 +0000 (+0300)
Subject: force regenerate session id on successful login, remove previous blank SID check
X-Git-Tag: 18.12~59
X-Git-Url: https://git.wh0rd.org/?p=tt-rss.git;a=commitdiff_plain;h=65e98f40867862eb345676e23b633b9f52109d30;hp=74736fce0f89efbaa971e6817303e8840c4aed8f

force regenerate session id on successful login, remove previous blank SID check
---

diff --git a/classes/handler/public.php b/classes/handler/public.php
index e892a979..7cce7d71 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -476,8 +476,6 @@ class Handler_Public extends Handler {
 				session_set_cookie_params(0);
 			}
 
-			@session_start();
-
 			if (authenticate_user($login, $password)) {
 				$_POST["password"] = "";
 
@@ -501,6 +499,10 @@ class Handler_Public extends Handler {
 					}
 				}
 			} else {
+
+				// start an empty session to deliver login error message
+				@session_start();
+
 				$_SESSION["login_error_msg"] = __("Incorrect username or password");
 				user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
 			}
diff --git a/include/functions.php b/include/functions.php
index d88e96dd..3cd21969 100755
--- a/include/functions.php
+++ b/include/functions.php
@@ -712,7 +712,14 @@
 			}
 
 			if ($user_id && !$check_only) {
-				@session_start();
+
+				if (session_status() != PHP_SESSION_NONE) {
+					session_destroy();
+					session_commit();
+				}
+
+				session_start();
+				session_regenerate_id(true);
 
 				$_SESSION["uid"] = $user_id;
 				$_SESSION["version"] = VERSION_STATIC;
diff --git a/include/sessions.php b/include/sessions.php
index 2d17bfd8..f625cd16 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -160,9 +160,5 @@
 	if (!defined('NO_SESSION_AUTOSTART')) {
 		if (isset($_COOKIE[session_name()])) {
 			@session_start();
-
-			if (!$_SESSION['uid']) {
-				logout_user();
-			}
 		}
 	}