Security Update: session fixation

Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
2013-12-20 03:38:51 +07:00 · 2013-12-20 03:38:51 +07:00 · 068688063e
parent f0da7b20c1
commit 068688063e
1 changed files with 1 additions and 0 deletions
--- a/lib/private/user/session.php
+++ b/lib/private/user/session.php
@ -157,6 +157,7 @@ class Session implements Emitter, \OCP\IUserSession {
 		if($user !== false) {
 			if (!is_null($user)) {
 				if ($user->isEnabled()) {
+					session_regenerate_id(true);
 					$this->setUser($user);
 					$this->setLoginname($uid);
 					$this->manager->emit('\OC\User', 'postLogin', array($user, $password));