force regenerate session id on successful login, remove previous blank SID check

author: Andrew Dolgov <[email protected]> 2018-10-15 15:47:50 +0300
committer: Andrew Dolgov <[email protected]> 2018-10-15 15:47:50 +0300
commit: 65e98f40867862eb345676e23b633b9f52109d30 (patch)
tree: e52d5e33eb31fff3ca3b4106540475eb13fd4ce2 /classes
parent: 74736fce0f89efbaa971e6817303e8840c4aed8f (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/classes/handler/public.php b/classes/handler/public.php
index e892a9797..7cce7d71b 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -476,8 +476,6 @@ class Handler_Public extends Handler {
 				session_set_cookie_params(0);
 			}
 
-			@session_start();
-
 			if (authenticate_user($login, $password)) {
 				$_POST["password"] = "";
 
@@ -501,6 +499,10 @@ class Handler_Public extends Handler {
 					}
 				}
 			} else {
+
+				// start an empty session to deliver login error message
+				@session_start();
+
 				$_SESSION["login_error_msg"] = __("Incorrect username or password");
 				user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
 			}
author	Andrew Dolgov <[email protected]>	2018-10-15 15:47:50 +0300
committer	Andrew Dolgov <[email protected]>	2018-10-15 15:47:50 +0300
commit	65e98f40867862eb345676e23b633b9f52109d30 (patch)
tree	e52d5e33eb31fff3ca3b4106540475eb13fd4ce2 /classes
parent	74736fce0f89efbaa971e6817303e8840c4aed8f (diff)