[SECURITY] Regenerate session id upon login if needed 19/40819/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Tue, 17 Jun 2014 09:01:17 +0000 (11:01 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:20:33 +0000 (16:20 +0200)
commit4f6e84bba3c13ea8b2652af1a4c47758aa0705f4
treee0a5aa8ec2513c4f8974a55c4e051872feec99cd
parentbff9fa5945801d1d2c641ddc8eb86c6647549d80
[SECURITY] Regenerate session id upon login if needed

When authenticating as a frontend user with a previously
present anonymous session, the session id is not regenerated
which leads to a possible session fixation.

This is now fixed by re-generating a new id
when a user is just authenticated but no
new session id is generated during this process.

Resolves: #59258
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-003
Change-Id: Iba7e3fde089b1ba8e8fe37171cbd93f7c4b31209
Reviewed-on: http://review.typo3.org/40819
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php