Make session ID regeneration configurable in security_settings.ini

aae7dceb · Till Brehm · 16ebfdab · aae7dceb · aae7dceb
Commit aae7dceb authored 8 years ago by Till Brehm
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -216,8 +216,15 @@ if(count($_POST) > 0) {
 						$user = $app->db->toLower($user);
 						
 						if ($loginAs) $oldSession = $_SESSION['s'];
-						// Session regenerate causes login problems on some systems, have to find a better way. see Issue #3827
-						//if (!$loginAs) session_regenerate_id(true);
+						
+						// Session regenerate causes login problems on some systems, see Issue #3827
+						// Set session_regenerate_id to no in security settings, it you encounter
+						// this problem.
+						$app->uses('getconf');
+						$security_config = $app->getconf->get_security_config('permissions');
+						if(isset($security_config['session_regenerate_id']) && $security_config['session_regenerate_id'] == 'yes') {
+							if (!$loginAs) session_regenerate_id(true);
+						}
 						$_SESSION = array();
 						if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
 						$_SESSION['s']['user'] = $user;

--- a/security/security_settings.ini
+++ b/security/security_settings.ini
@@ -16,6 +16,7 @@ admin_allow_software_packages=superadmin
 admin_allow_software_repo=superadmin
 remote_api_allowed=yes
 password_reset_allowed=yes
+session_regenerate_id=yes

 [ids]
 ids_enabled=no