Fix h1 report 176116

Session fixation
----------------

The HackerOne user pavanw3b has reported that Revive Adserver wasn't
properly invalidating the current session when setting a new password
via the forgot password mechanism. That could allow attackers having
access to the session ID to keep the authenticated session alive.

CWE-ID: CWE-384

CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 5.9
CVSSv3 Temporal Score: 5.2

Author: mbeccati

lib/OA/Admin/PasswordRecovery.php

@@ -117,7 +117,9 @@ function handlePost($vars)
             if (empty($vars['newpassword']) || empty($vars['newpassword2']) || $vars['newpassword'] != $vars['newpassword2']) {
                 $this->displayRecoveryResetForm($vars['id'], $GLOBALS['strNotSamePasswords']);
             } elseif ($this->_dal->checkRecoveryId($vars['id'])) {
-                $userId = $this->_dal->saveNewPasswordAndLogin($vars['id'], $vars['newpassword']);
+                $this->_dal->saveNewPasswordAndLogin($vars['id'], $vars['newpassword']);
+
+                phpAds_SessionRegenerateId();
                 OX_Admin_Redirect::redirect();
             } else {
                 $this->displayRecoveryRequestForm($GLOBALS['strPwdRecWrongId']);