Regenerate session ID helps prevent Session Fixation

Fixes https://huntr.dev/bounties/d7fec539-c6db-4493-9542-f1c8e80cc15b/
projectsend · Jul 30, 2021 · 86b3a9f · 86b3a9f
1 parent 1d90d54
commit 86b3a9f
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/includes/Classes/Auth.php b/includes/Classes/Auth.php
@@ -49,6 +49,8 @@ private function login($user)
         else {
             $_SESSION['access'] = 'admin';
         }
+
+        session_regenerate_id(true);
     }
 
     public function authenticate($username, $password)
@@ -399,6 +401,7 @@ public function logout($error_code = null)
         header("Cache-control: private");
 		$_SESSION = array();
         session_destroy();
+        session_regenerate_id(true);
 
         global $hybridauth;
         if (!empty($hybridauth)) {