summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Dolgov <[email protected]>2018-10-15 15:47:50 +0300
committerAndrew Dolgov <[email protected]>2018-10-15 15:47:50 +0300
commit65e98f40867862eb345676e23b633b9f52109d30 (patch)
treee52d5e33eb31fff3ca3b4106540475eb13fd4ce2
parent74736fce0f89efbaa971e6817303e8840c4aed8f (diff)
force regenerate session id on successful login, remove previous blank SID check
Diffstat
-rwxr-xr-xclasses/handler/public.php6
-rwxr-xr-xinclude/functions.php9
-rw-r--r--include/sessions.php4
3 files changed, 12 insertions, 7 deletions
diff --git a/classes/handler/public.php b/classes/handler/public.php
index e892a9797..7cce7d71b 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -476,8 +476,6 @@ class Handler_Public extends Handler {
session_set_cookie_params(0);
}
- @session_start();
-
if (authenticate_user($login, $password)) {
$_POST["password"] = "";
@@ -501,6 +499,10 @@ class Handler_Public extends Handler {
}
}
} else {
+
+ // start an empty session to deliver login error message
+ @session_start();
+
$_SESSION["login_error_msg"] = __("Incorrect username or password");
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
}
diff --git a/include/functions.php b/include/functions.php
index d88e96dd6..3cd21969d 100755
--- a/include/functions.php
+++ b/include/functions.php
@@ -712,7 +712,14 @@
}
if ($user_id && !$check_only) {
- @session_start();
+
+ if (session_status() != PHP_SESSION_NONE) {
+ session_destroy();
+ session_commit();
+ }
+
+ session_start();
+ session_regenerate_id(true);
$_SESSION["uid"] = $user_id;
$_SESSION["version"] = VERSION_STATIC;
diff --git a/include/sessions.php b/include/sessions.php
index 2d17bfd8e..f625cd16f 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -160,9 +160,5 @@
if (!defined('NO_SESSION_AUTOSTART')) {
if (isset($_COOKIE[session_name()])) {
@session_start();
-
- if (!$_SESSION['uid']) {
- logout_user();
- }
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 11:21:16 +0000