tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #92 from silverstripe-security/pulls/3.6/cve-2019-12203

Browse Source 
[CVE-2019-12203] Session fixation in "change password" form
This commit is contained in:
Aaron Carlino 2019-09-24 11:00:22 +12:00 committed by GitHub
commit a6763298fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
security/Security.php
View File

@ -719,6 +719,12 @@ class Security extends Controller implements TemplateGlobalProvider {
$curMember->logOut();
}
if (!headers_sent()) {
// To avoid a potential session fixation attack
// we're refreshing the session id so that it's
// always new and random for every authentication
session_regenerate_id(true);
}
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t']));