prevent session fixation attacks

agentejo · Sep 26, 2021 · 0c6628c · 0c6628c
1 parent 54423fc
commit 0c6628c
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/modules/Cockpit/module/auth.php b/modules/Cockpit/module/auth.php
@@ -47,6 +47,8 @@
     'setUser' => function($user, $permanent = true) use($app) {
 
         if ($permanent) {
+            // prevent session fixation attacks
+            session_regenerate_id(true);
             $app('session')->write('cockpit.app.auth', $user);
         }
 
@@ -73,6 +75,9 @@
     'logout' => function() use($app) {
         $app->trigger('cockpit.account.logout', [$this->getUser()]);
         $app('session')->delete('cockpit.app.auth');
+
+        // prevent session fixation attacks
+        session_regenerate_id(true);
     },
 
     'hasaccess' => function($resource, $action, $group = null) use($app) {