force regenerate session id on successful login, remove previous blank SID check

This commit is contained in:
Andrew Dolgov 2018-10-15 15:47:50 +03:00
parent 74736fce0f
commit 65e98f4086
3 changed files with 12 additions and 7 deletions

View File

@ -476,8 +476,6 @@ class Handler_Public extends Handler {
session_set_cookie_params(0); session_set_cookie_params(0);
} }
@session_start();
if (authenticate_user($login, $password)) { if (authenticate_user($login, $password)) {
$_POST["password"] = ""; $_POST["password"] = "";
@ -501,6 +499,10 @@ class Handler_Public extends Handler {
} }
} }
} else { } else {
// start an empty session to deliver login error message
@session_start();
$_SESSION["login_error_msg"] = __("Incorrect username or password"); $_SESSION["login_error_msg"] = __("Incorrect username or password");
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
} }

View File

@ -712,7 +712,14 @@
} }
if ($user_id && !$check_only) { if ($user_id && !$check_only) {
@session_start();
if (session_status() != PHP_SESSION_NONE) {
session_destroy();
session_commit();
}
session_start();
session_regenerate_id(true);
$_SESSION["uid"] = $user_id; $_SESSION["uid"] = $user_id;
$_SESSION["version"] = VERSION_STATIC; $_SESSION["version"] = VERSION_STATIC;

View File

@ -160,9 +160,5 @@
if (!defined('NO_SESSION_AUTOSTART')) { if (!defined('NO_SESSION_AUTOSTART')) {
if (isset($_COOKIE[session_name()])) { if (isset($_COOKIE[session_name()])) {
@session_start(); @session_start();
if (!$_SESSION['uid']) {
logout_user();
}
} }
} }