Merge branch 'bugfix/basic-auth-api-only-11151'

fixes #11151

library/Icinga/Authentication/Auth.php

@@ -270,7 +270,7 @@ class Auth
     }
 
     /**
-     * Attempt to authenticate a user using HTTP authentication
+     * Attempt to authenticate a user using HTTP authentication on API requests only
      *
      * Supports only the Basic HTTP authentication scheme. XHR will be ignored.
      *
@@ -278,13 +278,11 @@ class Auth
      */
     protected function authHttp()
     {
-        if ($this->getRequest()->isXmlHttpRequest()) {
+        $request = $this->getRequest();
+        if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
             return false;
         }
-        if (($header = $this->getRequest()->getHeader('Authorization')) === false) {
+        if (empty($header = $request->getHeader('Authorization'))) {
-            return false;
-        }
-        if (empty($header)) {
             $this->challengeHttp();
         }
         list($scheme) = explode(' ', $header, 2);

library/Icinga/Web/Session/PhpSession.php

@@ -213,7 +213,9 @@ class PhpSession extends Session
     public function refreshId()
     {
         $this->open();
+        if ($this->exists()) {
             session_regenerate_id();
+        }
         session_write_close();
         $this->hasBeenTouched = true;
     }