[SECURITY] Regenerate session id upon login if needed 12/40812/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Tue, 17 Jun 2014 09:01:17 +0000 (11:01 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:16:54 +0000 (16:16 +0200)
commit4c9aba94a930d56ab374693c9c5cc0458587278a
tree58d05bf1c937b818545da2e8f3d29831b9d666e3
parent0decbf83c531cab77497429eb2edecf9a1038b25
[SECURITY] Regenerate session id upon login if needed

When authenticating as a frontend user with a previously
present anonymous session, the session id is not regenerated
which leads to a possible session fixation.

This is now fixed by re-generating a new id
when a user is just authenticated but no
new session id is generated during this process.

Resolves: #59258
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-003
Change-Id: I8cb19a1125e6be5286a4995293f25d00e2d0e1af
Reviewed-on: http://review.typo3.org/40812
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php