Set a new random cookie string upon logout

Per @vboctor's request in PR review [1]. This reverts the earlier implementation, where the cookie string was set to '' and a new one generated at next login. Fixes #27976 [1]: #1737
mantisbt · Mar 6, 2021 · d8181a5 · d8181a5
1 parent 6f369a5
commit d8181a5
Showing 1 changed file with 2 additions and 9 deletions.
diff --git a/core/authentication_api.php b/core/authentication_api.php
@@ -659,11 +659,11 @@ function auth_logout() {
 	global $g_cache_current_user_id, $g_cache_cookie_valid;
 
 	if( !user_is_protected( $g_cache_current_user_id ) ) {
-		# Clear the user's cookie string
+		# Reset the user's cookie string
 		user_set_field(
 			$g_cache_current_user_id,
 			'cookie_string',
-			''
+			auth_generate_unique_cookie_string()
 		);
 	}
 
@@ -845,13 +845,6 @@ function auth_generate_confirm_hash( $p_user_id ) {
  */
 function auth_set_cookies( $p_user_id, $p_perm_login = false ) {
 	$t_cookie_string = user_get_field( $p_user_id, 'cookie_string' );
-
-	# If cookie string is not set in DB, generate a new one
-	if( !$t_cookie_string ) {
-		$t_cookie_string = auth_generate_unique_cookie_string();
-		user_set_field( $p_user_id, 'cookie_string', $t_cookie_string );
-	}
-
 	$t_cookie_name = config_get_global( 'string_cookie' );
 	gpc_set_cookie( $t_cookie_name, $t_cookie_string, auth_session_expiry( $p_user_id, $p_perm_login ) );
 }