force regenerate session id on successful login, remove previous blank SID check

master
Andrew Dolgov 6 years ago
parent 74736fce0f
commit 65e98f4086

@ -476,8 +476,6 @@ class Handler_Public extends Handler {
session_set_cookie_params(0);
}
@session_start();
if (authenticate_user($login, $password)) {
$_POST["password"] = "";
@ -501,6 +499,10 @@ class Handler_Public extends Handler {
}
}
} else {
// start an empty session to deliver login error message
@session_start();
$_SESSION["login_error_msg"] = __("Incorrect username or password");
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
}

@ -712,7 +712,14 @@
}
if ($user_id && !$check_only) {
@session_start();
if (session_status() != PHP_SESSION_NONE) {
session_destroy();
session_commit();
}
session_start();
session_regenerate_id(true);
$_SESSION["uid"] = $user_id;
$_SESSION["version"] = VERSION_STATIC;

@ -160,9 +160,5 @@
if (!defined('NO_SESSION_AUTOSTART')) {
if (isset($_COOKIE[session_name()])) {
@session_start();
if (!$_SESSION['uid']) {
logout_user();
}
}
}

Loading…
Cancel
Save