Refresh session id on Authentication

To prevent session fixation, create a new session id each time authenticate is
called.

refs #5625

library/Icinga/Authentication/Manager.php

@@ -369,6 +369,9 @@ class Manager
         );
 
         if ($persist == true) {
+            // Refresh the used session ID on each login, to offer protection against session fixation
+            $session = Session::getSession();
+            $session->refreshId();
             $this->persistCurrentUser();
         }
 

library/Icinga/Session/PhpSession.php

@@ -205,4 +205,14 @@ class PhpSession extends Session
             );
         }
     }
+
+    /**
+     * Assign a new sessionId to the currently active session
+     */
+    public function refreshId()
+    {
+        $this->open();
+        session_regenerate_id();
+        session_write_close();
+    }
 }

library/Icinga/Session/Session.php

@@ -57,6 +57,11 @@ abstract class Session extends SessionNamespace
      */
     abstract public function purge();
 
+    /**
+     * Assign a new session id to this session.
+     */
+    abstract public function refreshId();
+
     /**
      * Get or create a new session namespace
      *