From 97e3a8178a31e9ccc53cd3c1238d9cc6b1dc0622 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Wed, 30 Jan 2019 16:08:09 -0500
Subject: [PATCH] use session_regenerate_id instead of other strange code

---
 web/includes/session.php | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/web/includes/session.php b/web/includes/session.php
index ae102424c..b65c65df6 100644
--- a/web/includes/session.php
+++ b/web/includes/session.php
@@ -21,7 +21,8 @@ function zm_session_start() {
 
   session_start();
   // Do not allow to use too old session ID
-  if (!empty($_SESSION['last_time']) && $_SESSION['last_time'] < time() - 180) {
+  if ( !empty($_SESSION['last_time']) && ( $_SESSION['last_time'] < (time() - 180) ) ) {
+    Info('Destroying session due to timeout. ');
     session_destroy();
     session_start();
   }
@@ -34,19 +35,14 @@ function zm_session_regenerate_id() {
   if ( session_status() != PHP_SESSION_ACTIVE ) {
     session_start();
   }
-  // WARNING: Never use confidential strings for prefix!
-  $newid = session_create_id();
+
   // Set deleted timestamp. Session data must not be deleted immediately for reasons.
   $_SESSION['last_time'] = time();
   // Finish session
-  session_commit();
-  // Make sure to accept user defined session ID
-  // NOTE: You must enable use_strict_mode for normal operations.
-  ini_set('session.use_strict_mode', 0);
-  // Set new custome session ID
-  session_id($newid);
-  // Start with custome session ID
+  session_write_close();
+
   session_start();
+  session_regenerate_id();
 }
 
 function is_session_started() {