Refresh session id on Authentication

To prevent session fixation, create a new session id each time authenticate is called. refs #5625
2014-02-26 19:23:34 +01:00 · 2014-02-26 19:23:34 +01:00 · 99668e87e5
parent bcfebcd937
commit 99668e87e5
3 changed files with 18 additions and 0 deletions
--- a/library/Icinga/Authentication/Manager.php
+++ b/library/Icinga/Authentication/Manager.php
@ -369,6 +369,9 @@ class Manager
        );

        if ($persist == true) {
+            // Refresh the used session ID on each login, to offer protection against session fixation
+            $session = Session::getSession();
+            $session->refreshId();
            $this->persistCurrentUser();
        }

--- a/library/Icinga/Session/PhpSession.php
+++ b/library/Icinga/Session/PhpSession.php
@ -205,4 +205,14 @@ class PhpSession extends Session
            );
        }
    }
+
+    /**
+     * Assign a new sessionId to the currently active session
+     */
+    public function refreshId()
+    {
+        $this->open();
+        session_regenerate_id();
+        session_write_close();
+    }
 }
--- a/library/Icinga/Session/Session.php
+++ b/library/Icinga/Session/Session.php
@ -57,6 +57,11 @@ abstract class Session extends SessionNamespace
     */
    abstract public function purge();

+    /**
+     * Assign a new session id to this session.
+     */
+    abstract public function refreshId();
+
    /**
     * Get or create a new session namespace
     *