another attempt to enforce session ID regeneration on login
This commit is contained in:
parent
9dadbdbb21
commit
f730d7bb0a
|
@ -503,7 +503,9 @@ class Handler_Public extends Handler {
|
||||||
// start an empty session to deliver login error message
|
// start an empty session to deliver login error message
|
||||||
@session_start();
|
@session_start();
|
||||||
|
|
||||||
$_SESSION["login_error_msg"] = __("Incorrect username or password");
|
if (!isset($_SESSION["login_error_msg"]))
|
||||||
|
$_SESSION["login_error_msg"] = __("Incorrect username or password");
|
||||||
|
|
||||||
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
|
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -714,9 +714,11 @@
|
||||||
|
|
||||||
if ($user_id && !$check_only) {
|
if ($user_id && !$check_only) {
|
||||||
|
|
||||||
|
/* if a session is started here there's a stale login cookie we need to clean */
|
||||||
|
|
||||||
if (session_status() != PHP_SESSION_NONE) {
|
if (session_status() != PHP_SESSION_NONE) {
|
||||||
session_destroy();
|
$_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again");
|
||||||
session_commit();
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
session_regenerate_id(true);
|
session_regenerate_id(true);
|
||||||
|
|
Loading…
Reference in New Issue