From 86b3a9fc782ce0135a1ebc213bc081007a5d24cd Mon Sep 17 00:00:00 2001
From: Ignacio Nelson <info@subwaydesign.com.ar>
Date: Fri, 30 Jul 2021 16:22:50 -0300
Subject: [PATCH] Regenerate session ID helps prevent Session Fixation

Fixes https://huntr.dev/bounties/d7fec539-c6db-4493-9542-f1c8e80cc15b/
---
 includes/Classes/Auth.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/includes/Classes/Auth.php b/includes/Classes/Auth.php
index 12b09878e..a728e28a8 100644
--- a/includes/Classes/Auth.php
+++ b/includes/Classes/Auth.php
@@ -49,6 +49,8 @@ private function login($user)
         else {
             $_SESSION['access'] = 'admin';
         }
+
+        session_regenerate_id(true);
     }
 
     public function authenticate($username, $password)
@@ -399,6 +401,7 @@ public function logout($error_code = null)
         header("Cache-control: private");
 		$_SESSION = array();
         session_destroy();
+        session_regenerate_id(true);
         
         global $hybridauth;
         if (!empty($hybridauth)) {