sec(SessionMgmt) regenerate sessionIDs on privilege escalation

include/Webservices/OperationManager.php

@@ -142,6 +142,8 @@ public function runOperation($params, $user) {
 					return $userDetails;
 				} else {
 					coreBOS_Session::set('authenticated_user_id', $userDetails->id);
+					coreBOS_Session::saveUserID($userDetails->id, coreBOS_Session::id(), 'cbws');
+					coreBOS_Session::deleteUserID($userDetails->id, coreBOS_Session::id(), 'cbws');
 					cbEventHandler::do_action('corebos.login', array($userDetails, null, 'webservice'));
 					global $adb;
 					$webserviceObject = VtigerWebserviceObject::fromName($adb, 'Users');

modules/Mobile/api/ws/Controller.php

@@ -24,6 +24,8 @@ public function initActiveUser($user) {
 
 	protected function setActiveUser($user) {
 		coreBOS_Session::set('_authenticated_user_id', $user->id);
+		coreBOS_Session::saveUserID($user->id, session_id(), 'cbmb');
+		coreBOS_Session::deleteUserID($user->id, session_id(), 'cbmb');
 		$this->initActiveUser($user);
 	}
 

modules/Mobile/api/ws/Login.php

@@ -53,6 +53,8 @@ public function process(crmtogo_API_Request $request) {
 			coreBOS_Session::set('language', $current_user->column_fields['language']);
 			coreBOS_Session::set('user_tz', $current_user->column_fields['time_zone']);
 			coreBOS_Session::save();
+			coreBOS_Session::saveUserID($current_user->id, session_id(), 'cbmb');
+			coreBOS_Session::deleteUserID($current_user->id, session_id(), 'cbmb');
 			$result = array();
 			$result['login'] = array(
 				'userid' => $current_user->id,

modules/Users/Authenticate.php

@@ -42,6 +42,7 @@
 	die();
 }
 if ($focus->is_authenticated() && $focus->is_twofaauthenticated()) {
+	coreBOS_Session::regenerate();
 	//Inserting entries for audit trail during login
 	if (coreBOS_Settings::getSetting('audit_trail', false)) {
 		$date_var = $adb->formatDate(date('Y-m-d H:i:s'), true);
@@ -89,6 +90,8 @@
 	coreBOS_Session::set('vtiger_authenticated_user_theme', $authenticated_user_theme);
 	coreBOS_Session::set('authenticated_user_language', $authenticated_user_language);
 	coreBOS_Session::save();
+	coreBOS_Session::saveUserID($focus->id, session_id());
+	coreBOS_Session::deleteUserID($focus->id, session_id());
 	cbEventHandler::do_action('corebos.login', array($focus));
 
 	$log->debug("authenticated_user_language and ID: $authenticated_user_language $focus->id");

webservice.php

@@ -123,23 +123,32 @@ function getRequestParamsArrayForOperation($operation) {
 			return;
 		}
 	} else {
-		$sessionId = coreBOS_Session::init(false, false, $sessionId, 'cbws');
+		$sessionExists = coreBOS_Session::sessionExists($sessionId, 'cbws,');
+		if ($sessionExists) {
+			$sessionId = coreBOS_Session::init(false, false, $sessionId, 'cbws');
+		} else {
+			$sessionId = false;
+		}
 	}
 	if (!$sessionId && !$operationManager->isPreLoginOperation()) {
 		writeErrorOutput($operationManager, new WebServiceException(WebServiceErrorCode::$AUTHREQUIRED, 'Authentication required'));
 		return;
 	}
 
-	$userid = coreBOS_Session::get('authenticated_user_id');
-	if (!$sessionId || (!$userid && !$operationManager->isPreLoginOperation())) {
+	if (!$sessionId && !$operationManager->isPreLoginOperation()) {
 		writeErrorOutput($operationManager, 'Incorrect session');
 		return;
 	}
+	$userid = coreBOS_Session::get('authenticated_user_id');
+	if (!$userid && !$operationManager->isPreLoginOperation()) {
+		writeErrorOutput($operationManager, new WebServiceException(WebServiceErrorCode::$AUTHREQUIRED, 'Authentication required'));
+		return;
+	}
 
 	$now = time();
-	coreBOS_Session::setExpire($now + GlobalVariable::getVariable('WebService_Session_Life_Span', 86400));
-	coreBOS_Session::setIdle($now + GlobalVariable::getVariable('WebService_Session_Idle_Time', 1800), true);
 	if (!empty($userid)) {
+		coreBOS_Session::setExpire($now + GlobalVariable::getVariable('WebService_Session_Life_Span', 86400));
+		coreBOS_Session::setIdle($now + GlobalVariable::getVariable('WebService_Session_Idle_Time', 1800), true);
 		$seed_user = new Users();
 		$current_user = $seed_user->retrieveCurrentUserInfoFromFile($userid);
 		if (!empty($current_user->language)) {