From ff9b30ec40be6d3edb08953083a4c69ec7e73e71 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 17 Jun 2014 14:26:50 -0300 Subject: Re-generate session ID on a successful login to avoid session fixation --- etc/inc/auth.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc/inc') diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 6835c71..fa57b15 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -1361,6 +1361,7 @@ function session_auth() { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { + session_regenerate_id(); $_SESSION['Logged_In'] = "True"; $_SESSION['Username'] = $_POST['usernamefld']; $_SESSION['last_access'] = time(); -- cgit v1.1