another attempt to enforce session ID regeneration on login

This commit is contained in:
Andrew Dolgov 2018-10-16 09:11:32 +03:00
parent 9dadbdbb21
commit f730d7bb0a
2 changed files with 7 additions and 3 deletions

View File

@ -503,7 +503,9 @@ class Handler_Public extends Handler {
// start an empty session to deliver login error message // start an empty session to deliver login error message
@session_start(); @session_start();
$_SESSION["login_error_msg"] = __("Incorrect username or password"); if (!isset($_SESSION["login_error_msg"]))
$_SESSION["login_error_msg"] = __("Incorrect username or password");
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
} }

View File

@ -714,9 +714,11 @@
if ($user_id && !$check_only) { if ($user_id && !$check_only) {
/* if a session is started here there's a stale login cookie we need to clean */
if (session_status() != PHP_SESSION_NONE) { if (session_status() != PHP_SESSION_NONE) {
session_destroy(); $_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again");
session_commit(); return false;
} }
session_regenerate_id(true); session_regenerate_id(true);