Generate an new session identifier on successful login to prevent session fixation attacks.
This commit is contained in:
parent
3467e77e74
commit
f29ff197c6
|
@ -53,6 +53,7 @@ class SessionController extends \PHPCI\Controller
|
|||
$user = $this->userStore->getByEmail($this->getParam('email'));
|
||||
|
||||
if ($user && password_verify($this->getParam('password', ''), $user->getHash())) {
|
||||
session_regenerate_id(true);
|
||||
$_SESSION['phpci_user_id'] = $user->getId();
|
||||
$response = new b8\Http\Response\RedirectResponse();
|
||||
$response->setHeader('Location', $this->getLoginRedirect());
|
||||
|
|
Loading…
Reference in a new issue