Regenerate session ID on login (#7829)

Follow-up to #7762 * Regenerate session ID on login * Send only one cookie * Improvements * Delete old session file * Simplify * Make function consistent with others
author: Inverle <inverle@proton.me> 2025-08-30 21:40:00 +0200
committer: GitHub <noreply@github.com> 2025-08-30 21:40:00 +0200
commit: 200eafb352f807bd70592b2ccc06745017328a85 (patch)
tree: f06f77ee648d3e9a421346bf9749893a8cd01607 /lib/Minz/Session.php
parent: 585875cda7e3e261062a9b4f9d836bd8671b838e (diff)
1 files changed, 16 insertions, 2 deletions
diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php
index bb2c1a817..2f4058905 100644
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -198,10 +198,24 @@ class Minz_Session {
 
 	/**
 	 * Regenerate a session id.
-	 * Useful to call session_set_cookie_params after session_start()
 	 */
-	public static function regenerateID(): void {
+	public static function regenerateID(string $name): void {
+		if (self::$volatile || self::$locked) {
+			return;
+		}
+		// Ensure that regenerating the session won't send multiple cookies so we can send one ourselves instead
+		ini_set('session.use_cookies', '0');
+		session_name($name);
+		session_start();
 		session_regenerate_id(true);
+		session_write_close();
+		$newId = session_id();
+		if ($newId === false) {
+			Minz_Error::error(500);
+			return;
+		}
+		$lifetime = session_get_cookie_params()['lifetime'];
+		setcookie($name, $newId, $lifetime, self::getCookieDir(), '', Minz_Request::isHttps(), true);
 	}
 
 	public static function deleteLongTermCookie(string $name): void {
author	Inverle <inverle@proton.me>	2025-08-30 21:40:00 +0200
committer	GitHub <noreply@github.com>	2025-08-30 21:40:00 +0200
commit	200eafb352f807bd70592b2ccc06745017328a85 (patch)
tree	f06f77ee648d3e9a421346bf9749893a8cd01607 /lib/Minz/Session.php
parent	585875cda7e3e261062a9b4f9d836bd8671b838e (diff)