Skip to content

Commit

Permalink
Fix auth'd user information being saved to session before switching s…
Browse files Browse the repository at this point in the history 
…ession id's leaving bogus authenticated user in previous session.
  • Loading branch information
@connortechnology
connortechnology committed Mar 21, 2022
1 parent 08598ac commit 5317932
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 15 deletions.
15 changes: 6 additions & 9 deletions web/includes/actions/login.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,16 +75,14 @@

// if captcha existed, it was passed

if ( ! isset($user) ) {
if (!isset($user) ) {
$_SESSION['loginFailed'] = true;
return;
}

$close_session = 0;
if ( !is_session_started() ) {
zm_session_start();
$close_session = 1;
}
if (is_session_started()) session_write_close();
zm_session_clear();
zm_session_regenerate_id(); # starts session

$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
Expand All @@ -105,10 +103,9 @@
// Need to save this in session, can't use the value in User because it is hashed
$_SESSION['password'] = $_REQUEST['password'];
}
zm_session_regenerate_id();
$_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR'];
generateAuthHash(ZM_AUTH_HASH_IPS, true);
if ( $close_session )
session_write_close();
session_write_close();

$view = 'postlogin';
} # end if doing a login action
Expand Down
8 changes: 2 additions & 6 deletions web/includes/session.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,7 @@ function zm_session_start() {
// session regenerate id function
// Assumes that zm_session_start has been called previously
function zm_session_regenerate_id() {
if ( session_status() != PHP_SESSION_ACTIVE ) {
session_start();
}
if (!is_session_started()) session_start();

// Set deleted timestamp. Session data must not be deleted immediately for reasons.
$_SESSION['last_time'] = time();
Expand All @@ -92,7 +90,7 @@ function is_session_started() {
} // function is_session_started()

function zm_session_clear() {
session_start();
if (!is_session_started()) session_start();
$_SESSION = array();
if ( ini_get('session.use_cookies') ) {
$p = session_get_cookie_params();
Expand All @@ -102,10 +100,8 @@ function zm_session_clear() {
session_unset();
session_destroy();
session_write_close();
session_start();
} // function zm_session_clear()


class Session {
private $db;
public function __construct() {
Expand Down

0 comments on commit 5317932

Please sign in to comment.