From: csteipp <csteipp@wikimedia.org>
Date: Thu, 29 Nov 2012 22:02:18 +0000 (-0800)
Subject: (bug 40995) Refresh SessionId on login
X-Git-Tag: 1.31.0-rc.0~21468
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22lang_raccourcis%22%2C%22module=%24nom_module%22%29%20.%20%22?a=commitdiff_plain;h=d834a4892af5ea57b3ee387dad79ad1a2205acad;p=lhc%2Fweb%2Fwiklou.git

(bug 40995) Refresh SessionId on login

SpecialUserlogin updated to refresh the user's session_id on each
successful login.

Change-Id: I1bd76f2c199b515f570e18669ca2138668bf847e
---

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 982e965d3a..b6cabdacd3 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3269,6 +3269,18 @@ function wfHttpOnlySafe() {
 	return true;
 }
 
+/**
+ * Check if there is sufficent entropy in php's built-in session generation
+ * @return bool true = there is sufficient entropy
+ */
+function wfCheckEntropy() {
+	return (
+			( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
+			|| ini_get( 'session.entropy_file' )
+		)
+		&& intval( ini_get( 'session.entropy_length' ) ) >= 32;
+}
+
 /**
  * Override session_id before session startup if php's built-in
  * session generation code is not secure.
@@ -3283,11 +3295,7 @@ function wfFixSessionID() {
 	// - entropy_file is set or you're on Windows with php 5.3.3+
 	// - AND entropy_length is > 0
 	// We treat it as disabled if it doesn't have an entropy length of at least 32
-	$entropyEnabled = (
-			( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
-			|| ini_get( 'session.entropy_file' )
-		)
-		&& intval( ini_get( 'session.entropy_length' ) ) >= 32;
+	$entropyEnabled = wfCheckEntropy();
 
 	// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
 	if ( !$entropyEnabled ) {
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index fd33ec1f01..4980ffb230 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -785,6 +785,8 @@ class LoginForm extends SpecialPage {
 					$userLang = Language::factory( $code );
 					$wgLang = $userLang;
 					$this->getContext()->setLanguage( $userLang );
+					// Reset SessionID on Successful login (bug 40995)
+					$this->renewSessionId();
 					$this->successfulLogin();
 				} else {
 					$this->cookieRedirectCheck( 'login' );
@@ -1258,6 +1260,23 @@ class LoginForm extends SpecialPage {
 		$wgRequest->setSessionData( 'wsCreateaccountToken', null );
 	}
 
+	/**
+	 * Renew the user's session id, using strong entropy
+	 */
+	private function renewSessionId() {
+		if ( wfCheckEntropy() ) {
+			session_regenerate_id( false );
+		} else {
+			//If we don't trust PHP's entropy, we have to replace the session manually
+			$tmp = $_SESSION;
+			session_unset();
+			session_write_close();
+			session_id( MWCryptRand::generateHex( 32 ) );
+			session_start();
+			$_SESSION = $tmp;
+		}
+	}
+
 	/**
 	 * @private
 	 */