diff options
author | NARUKAWA Hiroki <nhirokinet@nhiroki.net> | 2013-12-19 22:38:51 +0400 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2014-02-20 17:31:23 +0400 |
commit | a422f19fac4981c494207f56a849958f2f40cbb1 (patch) | |
tree | ba923c2be2f62e4bda2f59793da939e0a7238673 | |
parent | ebb1a70abcddcb402a4bda24c1e6a4ddc2ab0665 (diff) |
Security Update: session fixation
Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
-rw-r--r-- | lib/private/user/session.php | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/private/user/session.php b/lib/private/user/session.php index 1e299416fb3..71bacfeb5b9 100644 --- a/lib/private/user/session.php +++ b/lib/private/user/session.php @@ -157,6 +157,7 @@ class Session implements Emitter, \OCP\IUserSession { if($user !== false) { if (!is_null($user)) { if ($user->isEnabled()) { + session_regenerate_id(true); $this->setUser($user); $this->setLoginName($uid); $this->manager->emit('\OC\User', 'postLogin', array($user, $password)); |