diff options
| author | Florian Preinstorfer <nblock@archlinux.us> | 2012-03-13 16:00:53 +0100 |
|---|---|---|
| committer | Robin Appelman <icewind@owncloud.com> | 2012-04-12 19:15:38 +0200 |
| commit | b86f2069ff1f434373c0babe0c28db5ee431498e (patch) | |
| tree | 3c593d0414194982d43f9b1007f86ec4285e1435 /lib/user.php | |
| parent | 2f3c0a6d804609aa908b8e938943e3ab8679b0a9 (diff) | |
| download | nextcloud-server-b86f2069ff1f434373c0babe0c28db5ee431498e.tar.gz nextcloud-server-b86f2069ff1f434373c0babe0c28db5ee431498e.zip | |
Fix a session fixation vulnerability
- regenerate the session for every successful login
- properly destroy a session
Further information can be found on:
https://en.wikipedia.org/wiki/session_fixation
Diffstat (limited to 'lib/user.php')
| -rw-r--r-- | lib/user.php | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/user.php b/lib/user.php index fda19a33154..8c27ec30cc2 100644 --- a/lib/user.php +++ b/lib/user.php @@ -186,7 +186,7 @@ class OC_User { * @param $password The password of the user * @returns true/false * - * Log in a user - if the password is ok + * Log in a user and regenerate a new session - if the password is ok */ public static function login( $uid, $password ){ $run = true; @@ -195,6 +195,7 @@ class OC_User { if( $run ){ $uid=self::checkPassword( $uid, $password ); if($uid){ + session_regenerate_id(); self::setUserId($uid); OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>$password )); return true; @@ -221,7 +222,8 @@ class OC_User { */ public static function logout(){ OC_Hook::emit( "OC_User", "logout", array()); - $_SESSION['user_id'] = false; + session_unset(); + session_destroy(); OC_User::unsetMagicInCookie(); return true; } |