From 0c6628cbff3e49bc317c97b03a4666b3a75f76cc Mon Sep 17 00:00:00 2001
From: Artur Heinze <artur@agentejo.com>
Date: Sun, 26 Sep 2021 15:27:59 +0200
Subject: [PATCH] prevent session fixation attacks

---
 modules/Cockpit/module/auth.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/Cockpit/module/auth.php b/modules/Cockpit/module/auth.php
index 303fbff37..2cb3214c0 100644
--- a/modules/Cockpit/module/auth.php
+++ b/modules/Cockpit/module/auth.php
@@ -47,6 +47,8 @@
     'setUser' => function($user, $permanent = true) use($app) {
 
         if ($permanent) {
+            // prevent session fixation attacks
+            session_regenerate_id(true);
             $app('session')->write('cockpit.app.auth', $user);
         }
 
@@ -73,6 +75,9 @@
     'logout' => function() use($app) {
         $app->trigger('cockpit.account.logout', [$this->getUser()]);
         $app('session')->delete('cockpit.app.auth');
+
+        // prevent session fixation attacks
+        session_regenerate_id(true);
     },
 
     'hasaccess' => function($resource, $action, $group = null) use($app) {