From 136861fe3a5f523073a0a254afc9a0bf0696d53d Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 7 Aug 2013 12:21:22 -0400
Subject: [PATCH] Add wfResetSessionID()

The code for changing the session id cookie from Special:Userlogin is
also needed in CentralAuth. So let's factor it out to avoid code
duplication.

Change-Id: I777f76ee8e2b953a1e972327bedc28e0ab1acf0d
---
 RELEASE-NOTES-1.22                     |  1 +
 docs/hooks.txt                         |  4 ++++
 includes/GlobalFunctions.php           | 21 +++++++++++++++++++++
 includes/specials/SpecialUserlogin.php | 13 +------------
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index b888cab588..6d91f0cbc7 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -177,6 +177,7 @@ production.
 * WebResponse::setcookie is much more featureful. Callers using PHP's
   setcookie() or setrawcookie() should begin using this instead.
 * New hook WebResponseSetCookie, called from WebResponse::setcookie().
+* New hook ResetSessionID, called when the session id is reset.
 
 === Bug fixes in 1.22 ===
 * Disable Special:PasswordReset when $wgEnableEmail is false. Previously one
diff --git a/docs/hooks.txt b/docs/hooks.txt
index 878823ba68..23ed032ee2 100644
--- a/docs/hooks.txt
+++ b/docs/hooks.txt
@@ -1913,6 +1913,10 @@ IContextSource $context: The RequestContext the skin is being created for.
 &$skin: A variable reference you may set a Skin instance or string key on to
   override the skin that will be used for the context.
 
+'ResetSessionID': Called from wfResetSessionID
+$oldSessionID: old session id
+$newSessionID: new session id
+
 'ResourceLoaderGetConfigVars': Called at the end of
 ResourceLoaderStartUpModule::getConfig(). Use this to export static
 configuration variables to JavaScript. Things that depend on the current page
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index fda8294276..4679941b70 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3305,6 +3305,27 @@ function wfFixSessionID() {
 	}
 }
 
+/**
+ * Reset the session_id
+ * @since 1.22
+ */
+function wfResetSessionID() {
+	global $wgCookieSecure;
+	$oldSessionId = session_id();
+	$cookieParams = session_get_cookie_params();
+	if ( wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure'] ) {
+		session_regenerate_id( false );
+	} else {
+		$tmp = $_SESSION;
+		session_destroy();
+		wfSetupSession( MWCryptRand::generateHex( 32 ) );
+		$_SESSION = $tmp;
+	}
+	$newSessionId = session_id();
+	wfRunHooks( 'ResetSessionID', array( $oldSessionId, $newSessionId ) );
+}
+
+
 /**
  * Initialise php session
  *
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 6e557f3a59..13a91aae80 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -1301,18 +1301,7 @@ class LoginForm extends SpecialPage {
 			$wgCookieSecure = false;
 		}
 
-		// If either we don't trust PHP's entropy, or if we need
-		// to change cookie settings when logging in because of
-		// wpStickHTTPS, then change the session ID manually.
-		$cookieParams = session_get_cookie_params();
-		if ( wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure'] ) {
-			session_regenerate_id( false );
-		} else {
-			$tmp = $_SESSION;
-			session_destroy();
-			wfSetupSession( MWCryptRand::generateHex( 32 ) );
-			$_SESSION = $tmp;
-		}
+		wfResetSessionID();
 	}
 
 	/**
-- 
2.20.1