From ae7bc0b74d782df5e7442b91f6975d15d8e0c8ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Mon, 10 Apr 2023 21:36:31 -0700 Subject: [PATCH] Regenerate session ID after successful authentication Closes #5141 --- app/Core/User/UserSession.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/Core/User/UserSession.php b/app/Core/User/UserSession.php index 9c49850ab..808346de4 100644 --- a/app/Core/User/UserSession.php +++ b/app/Core/User/UserSession.php @@ -44,6 +44,10 @@ class UserSession extends Base $user['is_ldap_user'] = isset($user['is_ldap_user']) ? (bool) $user['is_ldap_user'] : false; $user['twofactor_activated'] = isset($user['twofactor_activated']) ? (bool) $user['twofactor_activated'] : false; + if (session_status() === PHP_SESSION_ACTIVE) { + session_regenerate_id(true); + } + session_set('user', $user); session_set('postAuthenticationValidated', false); }