[CVE-2019-12203] Session fixation in "change password" form

A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.

src/Control/Session.php

@@ -217,7 +217,6 @@ class Session
      */
     public function init(HTTPRequest $request)
     {
-
         if (!$this->isStarted() && $this->requestContainsSessionId($request)) {
             $this->start($request);
         }
@@ -634,4 +633,16 @@ class Session
             }
         }
     }
+
+    /**
+     * Regenerate session id
+     *
+     * @internal This is for internal use only. Isn't a part of public API.
+     */
+    public function regenerateSessionId()
+    {
+        if (!headers_sent()) {
+            session_regenerate_id(true);
+        }
+    }
 }

src/Security/MemberAuthenticator/ChangePasswordHandler.php

@@ -158,6 +158,7 @@ class ChangePasswordHandler extends RequestHandler
             Injector::inst()->get(IdentityStore::class)->logOut();
         }
 
+        $this->getRequest()->getSession()->regenerateSessionId();
         // Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
         $this->getRequest()->getSession()->set('AutoLoginHash', $member->encryptWithUserSettings($token));
     }

src/Security/MemberAuthenticator/SessionAuthenticationHandler.php

@@ -98,6 +98,7 @@ class SessionAuthenticationHandler implements AuthenticationHandler
         $file = '';
         $line = '';
 
+        // TODO: deprecate and use Session::regenerateSessionId
         // @ is to supress win32 warnings/notices when session wasn't cleaned up properly
         // There's nothing we can do about this, because it's an operating system function!
         if (!headers_sent($file, $line)) {