From ff9b30ec40be6d3edb08953083a4c69ec7e73e71 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Tue, 17 Jun 2014 14:26:50 -0300
Subject: Re-generate session ID on a successful login to avoid session
 fixation

---
 etc/inc/auth.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 6835c71..fa57b15 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -1361,6 +1361,7 @@ function session_auth() {
 		$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
 		if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || 
 		    authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
+			session_regenerate_id();
 			$_SESSION['Logged_In'] = "True";
 			$_SESSION['Username'] = $_POST['usernamefld'];
 			$_SESSION['last_access'] = time();
-- 
cgit v1.1