From aae7dceb7968fb8fe18b6065ee30ac86f3bcaee3 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Sat, 23 Jul 2016 09:21:19 -0400
Subject: [PATCH] Make session ID regeneration configurable in security_settings.ini

---
 interface/web/login/index.php |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/interface/web/login/index.php b/interface/web/login/index.php
index 349f233..75a013b 100644
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -216,8 +216,15 @@
 						$user = $app->db->toLower($user);
 						
 						if ($loginAs) $oldSession = $_SESSION['s'];
-						// Session regenerate causes login problems on some systems, have to find a better way. see Issue #3827
-						//if (!$loginAs) session_regenerate_id(true);
+						
+						// Session regenerate causes login problems on some systems, see Issue #3827
+						// Set session_regenerate_id to no in security settings, it you encounter
+						// this problem.
+						$app->uses('getconf');
+						$security_config = $app->getconf->get_security_config('permissions');
+						if(isset($security_config['session_regenerate_id']) && $security_config['session_regenerate_id'] == 'yes') {
+							if (!$loginAs) session_regenerate_id(true);
+						}
 						$_SESSION = array();
 						if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
 						$_SESSION['s']['user'] = $user;

--
Gitblit v1.9.1