return true;
}
+/**
+ * Check if there is sufficent entropy in php's built-in session generation
+ * @return bool true = there is sufficient entropy
+ */
+function wfCheckEntropy() {
+ return (
+ ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
+ || ini_get( 'session.entropy_file' )
+ )
+ && intval( ini_get( 'session.entropy_length' ) ) >= 32;
+}
+
/**
* Override session_id before session startup if php's built-in
* session generation code is not secure.
// - entropy_file is set or you're on Windows with php 5.3.3+
// - AND entropy_length is > 0
// We treat it as disabled if it doesn't have an entropy length of at least 32
- $entropyEnabled = (
- ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
- || ini_get( 'session.entropy_file' )
- )
- && intval( ini_get( 'session.entropy_length' ) ) >= 32;
+ $entropyEnabled = wfCheckEntropy();
// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
if ( !$entropyEnabled ) {
$userLang = Language::factory( $code );
$wgLang = $userLang;
$this->getContext()->setLanguage( $userLang );
+ // Reset SessionID on Successful login (bug 40995)
+ $this->renewSessionId();
$this->successfulLogin();
} else {
$this->cookieRedirectCheck( 'login' );
$wgRequest->setSessionData( 'wsCreateaccountToken', null );
}
+ /**
+ * Renew the user's session id, using strong entropy
+ */
+ private function renewSessionId() {
+ if ( wfCheckEntropy() ) {
+ session_regenerate_id( false );
+ } else {
+ //If we don't trust PHP's entropy, we have to replace the session manually
+ $tmp = $_SESSION;
+ session_unset();
+ session_write_close();
+ session_id( MWCryptRand::generateHex( 32 ) );
+ session_start();
+ $_SESSION = $tmp;
+ }
+ }
+
/**
* @private
*/