Merge pull request #6519 from nhirokinet/master

Security Update: session fixation
author: Lukas Reschke <lukas@statuscode.ch> 2014-02-20 17:28:26 +0400
committer: Lukas Reschke <lukas@statuscode.ch> 2014-02-20 17:28:26 +0400
commit: 0241ddc759f7e2d2695c4626df5d2ac27b8b1d90 (patch)
tree: 356cf3406fb7697a8df161639dd3e7a74872c066
parent: 742f54b6d556797bbef2847e546861de0008a28a (diff)
parent: c2e2c59ca7aa873bd07de04ea701a8b351383aec (diff)
2 files changed, 1 insertions, 1 deletions
diff --git a/lib/private/user.php b/lib/private/user.php
index 86a01f96258..08ead712028 100644
--- a/lib/private/user.php
+++ b/lib/private/user.php
@@ -246,7 +246,6 @@ class OC_User {
 		OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $uid ));
 
 		if($uid) {
-			session_regenerate_id(true);
 			self::setUserId($uid);
 			self::setDisplayName($uid);
 			self::getUserSession()->setLoginName($uid);
diff --git a/lib/private/user/session.php b/lib/private/user/session.php
index 1740bad5abe..cd03b30205f 100644
--- a/lib/private/user/session.php
+++ b/lib/private/user/session.php
@@ -157,6 +157,7 @@ class Session implements Emitter, \OCP\IUserSession {
 		if($user !== false) {
 			if (!is_null($user)) {
 				if ($user->isEnabled()) {
+					session_regenerate_id(true);
 					$this->setUser($user);
 					$this->setLoginName($uid);
 					$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
author	Lukas Reschke <lukas@statuscode.ch>	2014-02-20 17:28:26 +0400
committer	Lukas Reschke <lukas@statuscode.ch>	2014-02-20 17:28:26 +0400
commit	0241ddc759f7e2d2695c4626df5d2ac27b8b1d90 (patch)
tree	356cf3406fb7697a8df161639dd3e7a74872c066
parent	742f54b6d556797bbef2847e546861de0008a28a (diff)
parent	c2e2c59ca7aa873bd07de04ea701a8b351383aec (diff)