From 0de7662c8b428d2b59640b3ae070379f668274bb Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 12 Oct 2012 16:50:57 -0700
Subject: [PATCH] (bug 40995) Refresh SessionId on login

SpecialUserlogin updated to refresh the user's session_id on each
successful login.

Change-Id: I4129093b3b78d49835f7af8c6330738a6a2abf1f
---
 includes/GlobalFunctions.php           |   18 +++++++++++++-----
 includes/specials/SpecialUserlogin.php |   19 +++++++++++++++++++
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 3de25e7..f8bd200 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3257,6 +3257,18 @@ function wfHttpOnlySafe() {
 }
 
 /**
+ * Check if there is sufficent entropy in php's built-in session generation
+ * @return bool true = there is sufficient entropy
+ */
+function wfCheckEntropy() {
+	return (
+			( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
+			|| ini_get( 'session.entropy_file' )
+		)
+		&& intval( ini_get( 'session.entropy_length' ) ) >= 32;
+}
+
+/**
  * Override session_id before session startup if php's built-in
  * session generation code is not secure.
  */
@@ -3270,11 +3282,7 @@ function wfFixSessionID() {
 	// - entropy_file is set or you're on Windows with php 5.3.3+
 	// - AND entropy_length is > 0
 	// We treat it as disabled if it doesn't have an entropy length of at least 32
-	$entropyEnabled = (
-			( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
-			|| ini_get( 'session.entropy_file' )
-		)
-		&& intval( ini_get( 'session.entropy_length' ) ) >= 32;
+	$entropyEnabled = wfCheckEntropy();
 
 	// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
 	if ( !$entropyEnabled ) {
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index f80e7da..d854b14 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -785,6 +785,8 @@ class LoginForm extends SpecialPage {
 					$userLang = Language::factory( $code );
 					$wgLang = $userLang;
 					$this->getContext()->setLanguage( $userLang );
+					// Reset SessionID on Successful login
+					$this->renewSessionId();
 					$this->successfulLogin();
 				} else {
 					$this->cookieRedirectCheck( 'login' );
@@ -1255,6 +1257,23 @@ class LoginForm extends SpecialPage {
 	}
 
 	/**
+	 * Renew the user's session id, using strong entropy
+	 */
+	private function renewSessionId() {
+		if ( wfCheckEntropy() ) {
+			session_regenerate_id( false );
+		} else {
+			//If we don't trust PHP's entropy, we have to replace the session manually
+			$tmp = $_SESSION;
+			session_unset();
+			session_write_close();
+			session_id( MWCryptRand::generateHex( 32 ) );
+			session_start();
+			$_SESSION = $tmp;
+		}
+	}
+
+	/**
 	 * @private
 	 */
 	function cookieRedirectCheck( $type ) {
-- 
1.7.5.4