From e967b07589f687fcd2f71e2df265fcb7c4f15c07 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Tue, 29 Jul 2025 14:44:14 +0200
Subject: Regenerate cookie ID after logging out (#7762)

To make the session cookie no longer usable if hijacked and put in another browser after user logs out
---
 app/Controllers/authController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 4de8d01f1..b090eb486 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -226,6 +226,12 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 		if (Minz_Request::isPost()) {
 			invalidateHttpCache();
 			FreshRSS_Auth::removeAccess();
+
+			ini_set('session.use_cookies', '1');
+			Minz_Session::lock();
+			Minz_Session::regenerateID();
+			Minz_Session::unlock();
+
 			Minz_Request::good(_t('feedback.auth.logout.success'), [ 'c' => 'index', 'a' => 'index' ]);
 		} else {
 			Minz_Error::error(403);
-- 
cgit v1.2.3