Skip to content
Permalink
Browse files

Regenerating session IDs on login state change.

Thanks to Juttikhun Khamchaiyaphum for the suggestion.
  • Loading branch information...
timbuckingham committed Oct 11, 2018
1 parent dd4456e commit c69402c4764ed9a76301c57277aefe70141b6418
Showing with 3 additions and 0 deletions.
  1. +3 −0 core/inc/bigtree/admin.php
@@ -118,6 +118,7 @@ function __construct() {
$this->CSRFToken = $csrf_token;
$this->CSRFTokenField = $csrf_token_field;
session_regenerate_id();
$_SESSION["bigtree_admin"]["id"] = $f["id"];
$_SESSION["bigtree_admin"]["email"] = $f["email"];
$_SESSION["bigtree_admin"]["name"] = $f["name"];
@@ -6053,6 +6054,7 @@ static function login($email,$password,$stay_logged_in = false,$domain = null,$t
setcookie('bigtree_admin[login]', $cookie_value, strtotime("+1 month"), $cookie_domain, "", false, true);
}
session_regenerate_id();
$_SESSION["bigtree_admin"]["id"] = $user["id"];
$_SESSION["bigtree_admin"]["email"] = $user["email"];
$_SESSION["bigtree_admin"]["level"] = $user["level"];
@@ -6184,6 +6186,7 @@ static function loginSession($session_key) {
setcookie('bigtree_admin[login]', $cookie_value, strtotime("+1 month"), $cookie_domain, "", false, true);
}
session_regenerate_id();
$_SESSION["bigtree_admin"]["id"] = $user["id"];
$_SESSION["bigtree_admin"]["email"] = $user["email"];
$_SESSION["bigtree_admin"]["level"] = $user["level"];

1 comment on commit c69402c

@zionspike

This comment has been minimized.

Copy link

commented on c69402c Oct 17, 2018

The CVE for this vulnerability has been reserved as CVE-2018-18380.

Please sign in to comment.
You can’t perform that action at this time.