Safer handling of sessions during authentication

- always generate new session for login form - always generate new session when authenticated using cookie auth Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · May 23, 2016 · f9d6c40 · f9d6c40
1 parent 84fbe2c
commit f9d6c40
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -13,6 +13,7 @@ phpMyAdmin - ChangeLog
 - issue #12219 Fix locking issues when importing SQL
 - issue #12231 Avoid confusing warning when mysql extension is missing
 - issue        Improve handling of logout
+- issue        Safer handling of sessions during authentication
 
 4.6.1 (2016-05-02)
 - issue #12120 PMA_Util not found in insert_edit.lib.php

diff --git a/libraries/common.inc.php b/libraries/common.inc.php
@@ -731,9 +731,7 @@
 
         if (! $auth_plugin->authCheck()) {
             /* Force generating of new session on login */
-            if ($token_provided) {
-                PMA_secureSession();
-            }
+            PMA_secureSession();
             $auth_plugin->auth();
         } else {
             $auth_plugin->authSetUser();

diff --git a/libraries/plugins/auth/AuthenticationCookie.php b/libraries/plugins/auth/AuthenticationCookie.php
@@ -341,6 +341,7 @@ public function authCheck()
                 }
                 $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
             }
+            PMA_secureSession();
             return true;
         }