From aae7dceb7968fb8fe18b6065ee30ac86f3bcaee3 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Sat, 23 Jul 2016 15:21:19 +0200
Subject: [PATCH] Make session ID regeneration configurable in
 security_settings.ini

---
 interface/web/login/index.php  | 11 +++++++++--
 security/security_settings.ini |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/interface/web/login/index.php b/interface/web/login/index.php
index 349f233760..75a013b811 100644
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -216,8 +216,15 @@ if(count($_POST) > 0) {
 						$user = $app->db->toLower($user);
 						
 						if ($loginAs) $oldSession = $_SESSION['s'];
-						// Session regenerate causes login problems on some systems, have to find a better way. see Issue #3827
-						//if (!$loginAs) session_regenerate_id(true);
+						
+						// Session regenerate causes login problems on some systems, see Issue #3827
+						// Set session_regenerate_id to no in security settings, it you encounter
+						// this problem.
+						$app->uses('getconf');
+						$security_config = $app->getconf->get_security_config('permissions');
+						if(isset($security_config['session_regenerate_id']) && $security_config['session_regenerate_id'] == 'yes') {
+							if (!$loginAs) session_regenerate_id(true);
+						}
 						$_SESSION = array();
 						if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
 						$_SESSION['s']['user'] = $user;
diff --git a/security/security_settings.ini b/security/security_settings.ini
index d3b8d9c743..5cc381e3cd 100644
--- a/security/security_settings.ini
+++ b/security/security_settings.ini
@@ -16,6 +16,7 @@ admin_allow_software_packages=superadmin
 admin_allow_software_repo=superadmin
 remote_api_allowed=yes
 password_reset_allowed=yes
+session_regenerate_id=yes
 
 [ids]
 ids_enabled=no
-- 
GitLab