Set a new random cookie string upon logout

When a user logs out from Mantis, we reset their session cookie string. This ensures that anyone knowing its value is no longer able to login with it. While not a complete fix for issue #11296, this does improve the situation by providing an easy and logical means for users to effectively invalidate all their previous sessions. Additionally, using an empty value to indicate an invalidated cookie string instead of directly generating a new hash makes it easy to: - identify user records which should be considered as logged out (e.g. last_visit older than $g_cookie_time_length) - invalidate login cookies (set them to '') Leveraging this is left for future improvements. Note: an empty string in the session cookie always triggers an anonymous login (or sends the user back to login page if anonymous login is disabled). Fixes #27976 (cherry picked from commit d8181a5)
mantisbt · Mar 6, 2021 · 79a78c0 · 79a78c0
1 parent 4aa1c22
commit 79a78c0
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/core/authentication_api.php b/core/authentication_api.php
@@ -658,6 +658,15 @@ function auth_attempt_script_login( $p_username, $p_password = null ) {
 function auth_logout() {
 	global $g_cache_current_user_id, $g_cache_cookie_valid;
 
+	if( !user_is_protected( $g_cache_current_user_id ) ) {
+		# Reset the user's cookie string
+		user_set_field(
+			$g_cache_current_user_id,
+			'cookie_string',
+			auth_generate_unique_cookie_string()
+		);
+	}
+
 	# clear cached userid
 	user_clear_cache( $g_cache_current_user_id );
 	current_user_set( null );