diff options
| author |  Inverle <inverle@proton.me>
| 2025-08-30 21:40:00 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-08-30 21:40:00 +0200 |
| commit | 200eafb352f807bd70592b2ccc06745017328a85 (patch) | |
| tree | f06f77ee648d3e9a421346bf9749893a8cd01607 | |
| parent | 585875cda7e3e261062a9b4f9d836bd8671b838e (diff) | |
Regenerate session ID on login (#7829)
Follow-up to #7762
* Regenerate session ID on login
* Send only one cookie
* Improvements
* Delete old session file
* Simplify
* Make function consistent with others
| -rw-r--r-- | app/Controllers/authController.php | 10 | ||||
| -rw-r--r-- | app/Controllers/userController.php | 5 | ||||
| -rw-r--r-- | lib/Minz/Session.php | 18 |
3 files changed, 21 insertions, 12 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 6b8d924d6..453851d22 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -152,6 +152,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { ); if ($ok) { // Set session parameter to give access to the user. + Minz_Session::regenerateID('FreshRSS'); Minz_Session::_params([ Minz_User::CURRENT_USER => $username, 'passwordHash' => FreshRSS_Context::userConf()->passwordHash, @@ -203,6 +204,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { $ok = password_verify($password, $s); unset($password); if ($ok) { + Minz_Session::regenerateID('FreshRSS'); Minz_Session::_params([ Minz_User::CURRENT_USER => $username, 'passwordHash' => $s, @@ -243,6 +245,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { )) { Minz_Request::setBadNotification(_t('feedback.auth.login.invalid')); } else { + Minz_Session::regenerateID('FreshRSS'); Minz_Session::_param('lastReauth', time()); Minz_Request::forward($redirect, true); return; @@ -259,12 +262,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { if (Minz_Request::isPost()) { invalidateHttpCache(); FreshRSS_Auth::removeAccess(); - - ini_set('session.use_cookies', '1'); - Minz_Session::lock(); - Minz_Session::regenerateID(); - Minz_Session::unlock(); - + Minz_Session::regenerateID('FreshRSS'); Minz_Request::good(_t('feedback.auth.logout.success'), [ 'c' => 'index', 'a' => 'index' ]); } else { Minz_Error::error(403); diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 0acdc65c7..67a97c45a 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -149,10 +149,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { return; } - ini_set('session.use_cookies', '1'); - Minz_Session::lock(); - Minz_Session::regenerateID(); - Minz_Session::unlock(); + Minz_Session::regenerateID('FreshRSS'); } if (FreshRSS_Context::systemConf()->force_email_validation && empty($email)) { diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index bb2c1a817..2f4058905 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -198,10 +198,24 @@ class Minz_Session { /** * Regenerate a session id. - * Useful to call session_set_cookie_params after session_start() */ - public static function regenerateID(): void { + public static function regenerateID(string $name): void { + if (self::$volatile || self::$locked) { + return; + } + // Ensure that regenerating the session won't send multiple cookies so we can send one ourselves instead + ini_set('session.use_cookies', '0'); + session_name($name); + session_start(); session_regenerate_id(true); + session_write_close(); + $newId = session_id(); + if ($newId === false) { + Minz_Error::error(500); + return; + } + $lifetime = session_get_cookie_params()['lifetime']; + setcookie($name, $newId, $lifetime, self::getCookieDir(), '', Minz_Request::isHttps(), true); } public static function deleteLongTermCookie(string $name): void { |