From 99668e87e5a22c23c0db2da5043082e0c74c7483 Mon Sep 17 00:00:00 2001 From: Matthias Jentsch Date: Wed, 26 Feb 2014 19:23:34 +0100 Subject: [PATCH] Refresh session id on Authentication To prevent session fixation, create a new session id each time authenticate is called. refs #5625 --- library/Icinga/Authentication/Manager.php | 3 +++ library/Icinga/Session/PhpSession.php | 10 ++++++++++ library/Icinga/Session/Session.php | 5 +++++ 3 files changed, 18 insertions(+) diff --git a/library/Icinga/Authentication/Manager.php b/library/Icinga/Authentication/Manager.php index a818c6081..2d791b194 100644 --- a/library/Icinga/Authentication/Manager.php +++ b/library/Icinga/Authentication/Manager.php @@ -369,6 +369,9 @@ class Manager ); if ($persist == true) { + // Refresh the used session ID on each login, to offer protection against session fixation + $session = Session::getSession(); + $session->refreshId(); $this->persistCurrentUser(); } diff --git a/library/Icinga/Session/PhpSession.php b/library/Icinga/Session/PhpSession.php index 0806d2fe2..fc04cc618 100644 --- a/library/Icinga/Session/PhpSession.php +++ b/library/Icinga/Session/PhpSession.php @@ -205,4 +205,14 @@ class PhpSession extends Session ); } } + + /** + * Assign a new sessionId to the currently active session + */ + public function refreshId() + { + $this->open(); + session_regenerate_id(); + session_write_close(); + } } diff --git a/library/Icinga/Session/Session.php b/library/Icinga/Session/Session.php index 44e490571..c65c239f7 100644 --- a/library/Icinga/Session/Session.php +++ b/library/Icinga/Session/Session.php @@ -57,6 +57,11 @@ abstract class Session extends SessionNamespace */ abstract public function purge(); + /** + * Assign a new session id to this session. + */ + abstract public function refreshId(); + /** * Get or create a new session namespace *