Commit aae7dceb authored by Till Brehm's avatar Till Brehm

Make session ID regeneration configurable in security_settings.ini

parent 16ebfdab
......@@ -216,8 +216,15 @@ if(count($_POST) > 0) {
$user = $app->db->toLower($user);
if ($loginAs) $oldSession = $_SESSION['s'];
// Session regenerate causes login problems on some systems, have to find a better way. see Issue #3827
//if (!$loginAs) session_regenerate_id(true);
// Session regenerate causes login problems on some systems, see Issue #3827
// Set session_regenerate_id to no in security settings, it you encounter
// this problem.
$app->uses('getconf');
$security_config = $app->getconf->get_security_config('permissions');
if(isset($security_config['session_regenerate_id']) && $security_config['session_regenerate_id'] == 'yes') {
if (!$loginAs) session_regenerate_id(true);
}
$_SESSION = array();
if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
$_SESSION['s']['user'] = $user;
......
......@@ -16,6 +16,7 @@ admin_allow_software_packages=superadmin
admin_allow_software_repo=superadmin
remote_api_allowed=yes
password_reset_allowed=yes
session_regenerate_id=yes
[ids]
ids_enabled=no
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment