Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security: Session Fixation
This commit addresses possible session fixation on both agent and end user
login. Upon login users are now issued new session with the old one
invalidated.
  • Loading branch information
protich authored and JediKev committed May 19, 2022
1 parent 01a378f commit 85a76f4
Show file tree
Hide file tree
Showing 3 changed files with 157 additions and 127 deletions.
15 changes: 9 additions & 6 deletions include/class.auth.php
Expand Up @@ -538,6 +538,8 @@ function login($staff, $bk) {
|| !($authkey=$bk->getAuthKey($staff)))
return false;

// Regenerate session id and refresh (avoid session fixation)
$staff->regenerateSession();
//Log debug info.
$ost->logDebug(_S('Agent Login'),
sprintf(_S("%s logged in [%s], via %s"), $staff->getUserName(),
Expand All @@ -563,9 +565,10 @@ function login($staff, $bk) {
$authsession['id'] = $staff->getId();
$authsession['key'] = $authkey;
$authsession['2fa'] = $auth2fa;

// Set session token
$staff->setSessionToken();
// Set Auth Key
$staff->setAuthKey($authkey);
$staff->refreshSession(true); //set the hash.
Signal::send('auth.login.succeeded', $staff);

if ($bk->supportsInteractiveAuthentication())
Expand Down Expand Up @@ -755,15 +758,15 @@ function login($user, $bk) {
throw new AccessDenied(__('Account is administratively locked'));
}

// Regenerate session id and refresh (avoid session fixation)
$user->regenerateSession();
// Tag the user and associated ticket in the SESSION
$this->setAuthKey($user, $bk, $authkey);

// Set Session Token
$user->setSessionToken();
//The backend used decides the format of the auth key.
// XXX: encrypt to hide the bk??
$user->setAuthKey($authkey);

$user->refreshSession(true); //set the hash.

//Log login info...
$msg=sprintf(_S('%1$s (%2$s) logged in [%3$s]'
/* Tokens are <username>, <id>, and <ip> */),
Expand Down

0 comments on commit 85a76f4

Please sign in to comment.