Fix a session fixation vulnerability

- regenerate the session for every successful login
- properly destroy a session

Further information can be found on:
https://en.wikipedia.org/wiki/session_fixation

diff --git a/lib/user.php b/lib/user.php
index fda19a33154bf97add79e40e468b774a2c175f3d..8c27ec30cc200fa7884ab30f9bb4d5dd4d13982e 100644 (file)
--- a/lib/user.php
+++ b/lib/user.php
@@ -186,7 +186,7 @@ class OC_User {
         * @param $password The password of the user
         * @returns true/false
         *
-        * Log in a user - if the password is ok
+        * Log in a user and regenerate a new session - if the password is ok
         */
        public static function login( $uid, $password ){
                $run = true;
@@ -195,6 +195,7 @@ class OC_User {
                if( $run ){
                        $uid=self::checkPassword( $uid, $password );
                        if($uid){
+                               session_regenerate_id();
                                self::setUserId($uid);
                                OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>$password ));
                                return true;
@@ -221,7 +222,8 @@ class OC_User {
         */
        public static function logout(){
                OC_Hook::emit( "OC_User", "logout", array());
-               $_SESSION['user_id'] = false;
+               session_unset();
+               session_destroy();
                OC_User::unsetMagicInCookie();
                return true;
        }