[SECURITY] Regenerate session id upon login if needed (1757b4d7) · Commits · TYPO3 / TYPO3.CMS

Commit 1757b4d7 authored 10 years ago by

Helmut Hummel Committed by Benjamin Mack 9 years ago

[SECURITY] Regenerate session id upon login if needed

When authenticating as a frontend user with a previously
present anonymous session, the session id is not regenerated
which leads to a possible session fixation.

This is now fixed by re-generating a new id
when a user is just authenticated but no
new session id is generated during this process.

Resolves: #59258
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-003
Change-Id: Ia52b17e95cf8074b0f569cf025eab4d041d1677f
Reviewed-on: http://review.typo3.org/40805


Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

parent d3c9706c

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 39 additions and 0 deletions

Please register or to comment