Browse Source

another attempt to enforce session ID regeneration on login

Andrew Dolgov 2 months ago
parent
commit
f730d7bb0a
2 changed files with 7 additions and 3 deletions
  1. 3 1
      classes/handler/public.php
  2. 4 2
      include/functions.php

+ 3 - 1
classes/handler/public.php

@@ -503,7 +503,9 @@ class Handler_Public extends Handler {
 				// start an empty session to deliver login error message
 				@session_start();
 
-				$_SESSION["login_error_msg"] = __("Incorrect username or password");
+				if (!isset($_SESSION["login_error_msg"]))
+					$_SESSION["login_error_msg"] = __("Incorrect username or password");
+
 				user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
 			}
 

+ 4 - 2
include/functions.php

@@ -714,9 +714,11 @@
 
 			if ($user_id && !$check_only) {
 
+				/* if a session is started here there's a stale login cookie we need to clean */
+
 				if (session_status() != PHP_SESSION_NONE) {
-					session_destroy();
-					session_commit();
+					$_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again");
+					return false;
 				}
 
 				session_regenerate_id(true);