diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 14:26:50 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-17 14:27:00 -0300 |
commit | 8588095f85372ad9595d785de9e058d9f1e05748 (patch) | |
tree | 6ee0c9488405baee28fcf5c1d254627582099536 | |
parent | 5de32d520bc7eee5ef400951130eef8a5cec9a2f (diff) | |
download | pfsense-8588095f85372ad9595d785de9e058d9f1e05748.zip pfsense-8588095f85372ad9595d785de9e058d9f1e05748.tar.gz |
Re-generate session ID on a successful login to avoid session fixation
-rw-r--r-- | etc/inc/auth.inc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 52065df..d1c5f19 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -1366,6 +1366,7 @@ function session_auth() { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { + session_regenerate_id(); $_SESSION['Logged_In'] = "True"; $_SESSION['Username'] = $_POST['usernamefld']; $_SESSION['last_access'] = time(); |