API CHANGE Member::set_session_regenerate_id() can now be used to disable Member::session_regenerate_id() which can break setting session cookies across all subdomains of a site (from r109103)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112781 467b73ca-7a2a-4603-9d3b-597d59a354a9
2024-10-22 14:05:37 +02:00 · 2010-10-19 00:55:33 +00:00 · 2010-10-19 00:55:33 +00:00 · cf6907931b
commit cf6907931b
parent f8ec13a1ab
1 changed files with 17 additions and 0 deletions
--- a/security/Member.php
+++ b/security/Member.php
@ -110,6 +110,21 @@ class Member extends DataObject {
 	 */
 	protected static $login_marker_cookie = null;

+	/**
+	 * Indicates that when a {@link Member} logs in, Member:session_regenerate_id()
+	 * should be called as a security precaution.
+	 * 
+	 * This doesn't always work, especially if you're trying to set session cookies
+	 * across an entire site using the domain parameter to session_set_cookie_params()
+	 * 
+	 * @var boolean
+	 */
+	protected static $session_regenerate_id = true;
+
+	public static function set_session_regenerate_id($bool) {
+		self::$session_regenerate_id = $bool;
+	}
+
 	/**
 	 * Ensure the locale is set to something sensible by default.
 	 */
@ -229,6 +244,8 @@ class Member extends DataObject {
 	 * quirky problems (such as using the Windmill 0.3.6 proxy).
 	 */
 	static function session_regenerate_id() {
+		if(!self::$session_regenerate_id) return;
+
 		// This can be called via CLI during testing.
 		if(Director::is_cli()) return;