Commit fef939a0 authored by Aaron Wells's avatar Aaron Wells
Browse files

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51b)
parent 0184cbf6
......@@ -405,6 +405,27 @@ class Session {
}
}
/**
* Regenerate session id. This does *not* clear the $_SESSION object
* or the session data on the server. It just changes the user's
* session ID. You should do this whenever a user logs in or otherwise
* changes their permission level, to avoid session fixation attacks.
*
* If you want to clear the session, call $SESSION->destroy_session()
*
* @return boolean
*/
public function regenerate_id() {
$this->ensure_session();
$result = session_regenerate_id(true);
$this->sessionid = session_id();
if (!$result) {
log_warn("session_regenerate_id() failed");
}
$this->ro_session();
return $result;
}
/**
* Find out if the session has been started yet
*/
......
......@@ -1656,7 +1656,7 @@ class LiveUser extends User {
}
$this->populate($user);
session_regenerate_id(true);
$this->SESSION->regenerate_id();
$time = time();
$this->lastlastlogin = $this->lastlogin;
$this->lastlogin = $time;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment