Commit 8ef7c6fb authored by Dries's avatar Dries

- Patch #801278 by mfb, marcingy: authenticated users getting 'less random' session IDs.

parent 4771540e
......@@ -315,18 +315,12 @@ function drupal_session_regenerate() {
if (drupal_session_started()) {
$old_session_id = session_id();
session_regenerate_id();
}
else {
// Start the session when it doesn't exist yet.
// Preserve the logged in user, as it will be reset to anonymous
// by _drupal_session_read.
$account = $user;
drupal_session_start();
$user = $account;
}
session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55)));
if (isset($old_session_id)) {
$params = session_get_cookie_params();
setcookie(session_name(), session_id(), REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']);
$fields = array('sid' => session_id());
if ($is_https) {
$fields['ssid'] = session_id();
......@@ -350,6 +344,14 @@ function drupal_session_regenerate() {
->condition('sid', $old_insecure_session_id)
->execute();
}
else {
// Start the session when it doesn't exist yet.
// Preserve the logged in user, as it will be reset to anonymous
// by _drupal_session_read.
$account = $user;
drupal_session_start();
$user = $account;
}
date_default_timezone_set(drupal_get_user_timezone());
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment