[SECURITY] Regenerate session id upon login if needed 05/40805/2 05/40805/3
authorHelmut Hummel <helmut.hummel@typo3.org>
Tue, 17 Jun 2014 09:01:17 +0000 (11:01 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:09:33 +0000 (16:09 +0200)
commit1757b4d7d138196612659d077fc06f2d5b06015b
treebb8c64a08ae5a9e827011afec7eb4e8c9b22dc9f
parentd3c9706c827074adaefd8a79ecf5024fa4b9c756
[SECURITY] Regenerate session id upon login if needed

When authenticating as a frontend user with a previously
present anonymous session, the session id is not regenerated
which leads to a possible session fixation.

This is now fixed by re-generating a new id
when a user is just authenticated but no
new session id is generated during this process.

Resolves: #59258
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-003
Change-Id: Ia52b17e95cf8074b0f569cf025eab4d041d1677f
Reviewed-on: http://review.typo3.org/40805
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php