- sa-2006-003: Session fixation issue

2006-03-13 21:48:55 +00:00 · 2006-03-13 21:48:55 +00:00 · e4a27b8f34
parent b6dba27ac2
commit e4a27b8f34
2 changed files with 10 additions and 0 deletions
--- a/modules/user.module
+++ b/modules/user.module
@ -915,6 +915,11 @@ function user_login_submit($form_id, $form_values) {
    db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid);

    user_module_invoke('login', $form_values, $user);
+
+    $old_session_id = session_id();
+    session_regenerate_id();
+    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
+
  }
 }

--- a/modules/user/user.module
+++ b/modules/user/user.module
@ -915,6 +915,11 @@ function user_login_submit($form_id, $form_values) {
    db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid);

    user_module_invoke('login', $form_values, $user);
+
+    $old_session_id = session_id();
+    session_regenerate_id();
+    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
+
  }
 }