Regenerate cookie ID after logging out (#7762)

To make the session cookie no longer usable if hijacked and put in another browser after user logs out
author: Inverle <inverle@proton.me> 2025-07-29 14:44:14 +0200
committer: GitHub <noreply@github.com> 2025-07-29 14:44:14 +0200
commit: e967b07589f687fcd2f71e2df265fcb7c4f15c07 (patch)
tree: 662c1358832866d2477ae4014254a68fb11dd0bf
parent: fe9ef3b5063b89ffe9f18e7a729007be484c398d (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 4de8d01f1..b090eb486 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -226,6 +226,12 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 		if (Minz_Request::isPost()) {
 			invalidateHttpCache();
 			FreshRSS_Auth::removeAccess();
+
+			ini_set('session.use_cookies', '1');
+			Minz_Session::lock();
+			Minz_Session::regenerateID();
+			Minz_Session::unlock();
+
 			Minz_Request::good(_t('feedback.auth.logout.success'), [ 'c' => 'index', 'a' => 'index' ]);
 		} else {
 			Minz_Error::error(403);
author	Inverle <inverle@proton.me>	2025-07-29 14:44:14 +0200
committer	GitHub <noreply@github.com>	2025-07-29 14:44:14 +0200
commit	e967b07589f687fcd2f71e2df265fcb7c4f15c07 (patch)
tree	662c1358832866d2477ae4014254a68fb11dd0bf
parent	fe9ef3b5063b89ffe9f18e7a729007be484c398d (diff)