Security Update: session fixation

Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
author: NARUKAWA Hiroki <nhirokinet@nhiroki.net> 2013-12-20 03:38:51 +0900
committer: NARUKAWA Hiroki <nhirokinet@nhiroki.net> 2013-12-20 03:38:51 +0900
commit: 068688063eb660d35ee0dca8d3ceb53d2f243bbe (patch)
tree: da1cb8788f54f1be41dedca96d7fce732a7a938f /lib/private/user/session.php
parent: f0da7b20c12c14e0fbd9cddfbe7c5c26d43e2607 (diff)
download: nextcloud-server-068688063eb660d35ee0dca8d3ceb53d2f243bbe.tar.gz
nextcloud-server-068688063eb660d35ee0dca8d3ceb53d2f243bbe.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/private/user/session.php b/lib/private/user/session.php
index c2885d00413..67cfdf2624e 100644
--- a/lib/private/user/session.php
+++ b/lib/private/user/session.php
@@ -157,6 +157,7 @@ class Session implements Emitter, \OCP\IUserSession {
 		if($user !== false) {
 			if (!is_null($user)) {
 				if ($user->isEnabled()) {
+					session_regenerate_id(true);
 					$this->setUser($user);
 					$this->setLoginname($uid);
 					$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
author	NARUKAWA Hiroki <nhirokinet@nhiroki.net>	2013-12-20 03:38:51 +0900
committer	NARUKAWA Hiroki <nhirokinet@nhiroki.net>	2013-12-20 03:38:51 +0900
commit	068688063eb660d35ee0dca8d3ceb53d2f243bbe (patch)
tree	da1cb8788f54f1be41dedca96d7fce732a7a938f /lib/private/user/session.php
parent	f0da7b20c12c14e0fbd9cddfbe7c5c26d43e2607 (diff)
download	nextcloud-server-068688063eb660d35ee0dca8d3ceb53d2f243bbe.tar.gz nextcloud-server-068688063eb660d35ee0dca8d3ceb53d2f243bbe.zip