Merge pull request #92 from silverstripe-security/pulls/3.6/cve-2019-12203

[CVE-2019-12203] Session fixation in "change password" form
This commit is contained in:
Aaron Carlino 2019-09-24 11:00:22 +12:00 committed by GitHub
commit a6763298fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -719,6 +719,12 @@ class Security extends Controller implements TemplateGlobalProvider {
$curMember->logOut(); $curMember->logOut();
} }
if (!headers_sent()) {
// To avoid a potential session fixation attack
// we're refreshing the session id so that it's
// always new and random for every authentication
session_regenerate_id(true);
}
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm. // Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t'])); Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t']));