Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F9622
bug40995.patch
Public
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
bzimport
Nov 22 2014, 12:46 AM
2014-11-22 00:46:26 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
bug40995.patch
View Options
From 0de7662c8b428d2b59640b3ae070379f668274bb Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 12 Oct 2012 16:50:57 -0700
Subject: [PATCH] (bug 40995) Refresh SessionId on login
SpecialUserlogin updated to refresh the user's session_id on each
successful login.
Change-Id: I4129093b3b78d49835f7af8c6330738a6a2abf1f
---
includes/GlobalFunctions.php | 18 +++++++++++++-----
includes/specials/SpecialUserlogin.php | 19 +++++++++++++++++++
2 files changed, 32 insertions(+), 5 deletions(-)
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 3de25e7..f8bd200 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3257,6 +3257,18 @@ function wfHttpOnlySafe() {
}
/**
+ * Check if there is sufficent entropy in php's built-in session generation
+ * @return bool true = there is sufficient entropy
+ */
+function wfCheckEntropy() {
+ return (
+ ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
+ || ini_get( 'session.entropy_file' )
+ )
+ && intval( ini_get( 'session.entropy_length' ) ) >= 32;
+}
+
+/**
* Override session_id before session startup if php's built-in
* session generation code is not secure.
*/
@@ -3270,11 +3282,7 @@ function wfFixSessionID() {
// - entropy_file is set or you're on Windows with php 5.3.3+
// - AND entropy_length is > 0
// We treat it as disabled if it doesn't have an entropy length of at least 32
- $entropyEnabled = (
- ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
- || ini_get( 'session.entropy_file' )
- )
- && intval( ini_get( 'session.entropy_length' ) ) >= 32;
+ $entropyEnabled = wfCheckEntropy();
// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
if ( !$entropyEnabled ) {
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index f80e7da..d854b14 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -785,6 +785,8 @@ class LoginForm extends SpecialPage {
$userLang = Language::factory( $code );
$wgLang = $userLang;
$this->getContext()->setLanguage( $userLang );
+ // Reset SessionID on Successful login
+ $this->renewSessionId();
$this->successfulLogin();
} else {
$this->cookieRedirectCheck( 'login' );
@@ -1255,6 +1257,23 @@ class LoginForm extends SpecialPage {
}
/**
+ * Renew the user's session id, using strong entropy
+ */
+ private function renewSessionId() {
+ if ( wfCheckEntropy() ) {
+ session_regenerate_id( false );
+ } else {
+ //If we don't trust PHP's entropy, we have to replace the session manually
+ $tmp = $_SESSION;
+ session_unset();
+ session_write_close();
+ session_id( MWCryptRand::generateHex( 32 ) );
+ session_start();
+ $_SESSION = $tmp;
+ }
+ }
+
+ /**
* @private
*/
function cookieRedirectCheck( $type ) {
--
1.7.5.4
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9119
Default Alt Text
bug40995.patch (2 KB)
Attached To
Mode
T42995: Generic Session Fixation
Attached
Detach File
Event Timeline
Log In to Comment