Make session ID regeneration configurable in security_settings.ini

Till Brehm · Till Brehm · commit aae7dceb7968 · 2016-07-23T15:21:19.000+02:00
diff --git a/interface/web/login/index.php b/interface/web/login/index.php
@@ -216,8 +216,15 @@
 						$user = $app->db->toLower($user);
 						
 						if ($loginAs) $oldSession = $_SESSION['s'];
-						// Session regenerate causes login problems on some systems, have to find a better way. see Issue #3827
-						//if (!$loginAs) session_regenerate_id(true);
+						
+						// Session regenerate causes login problems on some systems, see Issue #3827
+						// Set session_regenerate_id to no in security settings, it you encounter
+						// this problem.
+						$app->uses('getconf');
+						$security_config = $app->getconf->get_security_config('permissions');
+						if(isset($security_config['session_regenerate_id']) && $security_config['session_regenerate_id'] == 'yes') {
+							if (!$loginAs) session_regenerate_id(true);
+						}
 						$_SESSION = array();
 						if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
 						$_SESSION['s']['user'] = $user;
diff --git a/security/security_settings.ini b/security/security_settings.ini
@@ -16,6 +16,7 @@ admin_allow_software_packages=superadmin
 admin_allow_software_repo=superadmin
 remote_api_allowed=yes
 password_reset_allowed=yes
+session_regenerate_id=yes
 
 [ids]
 ids_enabled=no
