From fec41e753926b9f98a554b99dc66b6dd7a0c96a3 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 4 Jan 2016 15:00:58 +0100 Subject: Move regeneration of session ID into session classes There were code paths that nowadays call ISession::login directly thus bypassing the desired regeneration of the session ID. This moves the session regeneration deeper into the session handling and thus ensures that it is always called. Furthermore, I also added the session regeneration to the remember me cookie plus added some test case expectations for this. --- lib/private/user.php | 1 - 1 file changed, 1 deletion(-) (limited to 'lib/private/user.php') diff --git a/lib/private/user.php b/lib/private/user.php index cfa60d675fe..fa1cea9072f 100644 --- a/lib/private/user.php +++ b/lib/private/user.php @@ -162,7 +162,6 @@ class OC_User { * Log in a user and regenerate a new session - if the password is ok */ public static function login($loginname, $password) { - session_regenerate_id(true); $result = self::getUserSession()->login($loginname, $password); if ($result) { //we need to pass the user name, which may differ from login name -- cgit v1.2.3