Regenerate session ID on login (#7829)

Follow-up to #7762 * Regenerate session ID on login * Send only one cookie * Improvements * Delete old session file * Simplify * Make function consistent with others
2026-05-18 21:34:35 -04:00 · 2025-08-30 21:40:00 +02:00
parent 585875cda7
commit 200eafb352
3 changed files with 21 additions and 12 deletions
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -152,6 +152,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 			);
 			if ($ok) {
 				// Set session parameter to give access to the user.
+				Minz_Session::regenerateID('FreshRSS');
 				Minz_Session::_params([
 					Minz_User::CURRENT_USER => $username,
 					'passwordHash' => FreshRSS_Context::userConf()->passwordHash,
@@ -203,6 +204,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 			$ok = password_verify($password, $s);
 			unset($password);
 			if ($ok) {
+				Minz_Session::regenerateID('FreshRSS');
 				Minz_Session::_params([
 					Minz_User::CURRENT_USER => $username,
 					'passwordHash' => $s,
@@ -243,6 +245,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 				)) {
 				Minz_Request::setBadNotification(_t('feedback.auth.login.invalid'));
 			} else {
+				Minz_Session::regenerateID('FreshRSS');
 				Minz_Session::_param('lastReauth', time());
 				Minz_Request::forward($redirect, true);
 				return;
@@ -259,12 +262,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 		if (Minz_Request::isPost()) {
 			invalidateHttpCache();
 			FreshRSS_Auth::removeAccess();
-
-			ini_set('session.use_cookies', '1');
-			Minz_Session::lock();
-			Minz_Session::regenerateID();
-			Minz_Session::unlock();
-
+			Minz_Session::regenerateID('FreshRSS');
 			Minz_Request::good(_t('feedback.auth.logout.success'), [ 'c' => 'index', 'a' => 'index' ]);
 		} else {
 			Minz_Error::error(403);
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -149,10 +149,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
 					return;
 				}

-				ini_set('session.use_cookies', '1');
-				Minz_Session::lock();
-				Minz_Session::regenerateID();
-				Minz_Session::unlock();
+				Minz_Session::regenerateID('FreshRSS');
 			}

 			if (FreshRSS_Context::systemConf()->force_email_validation && empty($email)) {
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -198,10 +198,24 @@ class Minz_Session {

 	/**
 	 * Regenerate a session id.
-	 * Useful to call session_set_cookie_params after session_start()
 	 */
-	public static function regenerateID(): void {
+	public static function regenerateID(string $name): void {
+		if (self::$volatile || self::$locked) {
+			return;
+		}
+		// Ensure that regenerating the session won't send multiple cookies so we can send one ourselves instead
+		ini_set('session.use_cookies', '0');
+		session_name($name);
+		session_start();
 		session_regenerate_id(true);
+		session_write_close();
+		$newId = session_id();
+		if ($newId === false) {
+			Minz_Error::error(500);
+			return;
+		}
+		$lifetime = session_get_cookie_params()['lifetime'];
+		setcookie($name, $newId, $lifetime, self::getCookieDir(), '', Minz_Request::isHttps(), true);
 	}

 	public static function deleteLongTermCookie(string $name): void {