mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge pull request #92 from silverstripe-security/pulls/3.6/cve-2019-12203
[CVE-2019-12203] Session fixation in "change password" form
This commit is contained in:
commit
a6763298fe
@ -719,6 +719,12 @@ class Security extends Controller implements TemplateGlobalProvider {
|
|||||||
$curMember->logOut();
|
$curMember->logOut();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!headers_sent()) {
|
||||||
|
// To avoid a potential session fixation attack
|
||||||
|
// we're refreshing the session id so that it's
|
||||||
|
// always new and random for every authentication
|
||||||
|
session_regenerate_id(true);
|
||||||
|
}
|
||||||
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
|
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
|
||||||
Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t']));
|
Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t']));
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user