/** * Reset the session_id * * @since 1.22 */ function wfResetSessionID() { global $wgCookieSecure; $oldSessionId = session_id(); $cookieParams = session_get_cookie_params(); if (wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure']) { session_regenerate_id(false); } else { $tmp = $_SESSION; session_destroy(); wfSetupSession(MWCryptRand::generateHex(32)); $_SESSION = $tmp; } $newSessionId = session_id(); Hooks::run('ResetSessionID', array($oldSessionId, $newSessionId)); }
/** * Renew the user's session id, using strong entropy */ private function renewSessionId() { global $wgSecureLogin, $wgCookieSecure; if ($wgSecureLogin && !$this->mStickHTTPS) { $wgCookieSecure = false; } // If either we don't trust PHP's entropy, or if we need // to change cookie settings when logging in because of // wpStickHTTPS, then change the session ID manually. $cookieParams = session_get_cookie_params(); if (wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure']) { session_regenerate_id(false); } else { $tmp = $_SESSION; session_destroy(); wfSetupSession(MWCryptRand::generateHex(32)); $_SESSION = $tmp; } }
/** * Override session_id before session startup if php's built-in * session generation code is not secure. */ function wfFixSessionID() { // If the cookie or session id is already set we already have a session and should abort if (isset($_COOKIE[session_name()]) || session_id()) { return; } // PHP's built-in session entropy is enabled if: // - entropy_file is set or you're on Windows with php 5.3.3+ // - AND entropy_length is > 0 // We treat it as disabled if it doesn't have an entropy length of at least 32 $entropyEnabled = wfCheckEntropy(); // If built-in entropy is not enabled or not sufficient override php's built in session id generation code if (!$entropyEnabled) { wfDebug(__METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n"); session_id(MWCryptRand::generateHex(32)); } }
/** * Renew the user's session id, using strong entropy */ private function renewSessionId() { if (wfCheckEntropy()) { session_regenerate_id(false); } else { //If we don't trust PHP's entropy, we have to replace the session manually $tmp = $_SESSION; session_unset(); session_write_close(); session_id(MWCryptRand::generateHex(32)); session_start(); $_SESSION = $tmp; } }
/** * Reset the session_id * * Backported from MW 1.22 */ function wfResetSessionID() { global $wgCookieSecure; $oldSessionId = session_id(); $cookieParams = session_get_cookie_params(); if (wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure']) { session_regenerate_id(true); // Wikia - $delete_old_session = true } else { $tmp = $_SESSION; session_destroy(); wfSetupSession(MWCryptRand::generateHex(32)); $_SESSION = $tmp; } $newSessionId = session_id(); Hooks::run('ResetSessionID', array($oldSessionId, $newSessionId)); wfDebug(sprintf("%s: new ID is '%s'\n", __METHOD__, $newSessionId)); }
/** * Override session_id before session startup if php's built-in * session generation code is not secure. */ function wfFixSessionID() { // If the cookie or session id is already set we already have a session and should abort if (isset($_COOKIE[session_name()]) || session_id()) { return; } $entropyEnabled = wfCheckEntropy(); // If built-in entropy is not enabled or not sufficient override php's built in session id generation code if (!$entropyEnabled) { wfDebug(__METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n"); session_id(MWCryptRand::generateHex(32)); } }