session fixation fix - previous version did not let me in, because it regenerated session before even trying to start old one and check whether it is valid or not.

I've also added session regeneration on login, which is good practice to prevent session fixation.

lib/settings-common.php

@@ -32,8 +32,10 @@ if(!isset($_SESSION)) {
 	if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
 		ini_set('session.cookie_secure','1');			// Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition 
 	}
+	@session_start();						// Finally, start the session!
+	if (!isset($_SESSION['csrf'])){
         session_regenerate_id(true);					// Create a new ID to help prevent fixation
-        @session_start();						// Finally, start the session!
+	}
 }
 
 // Set the language file, if now possible

lib/settings.php

@@ -106,6 +106,7 @@ if (!isset($_SESSION['username'])) {$_SESSION['username'] = false;};
 if(isset($_POST['submit']) && $setPWorLogin=="login") {
 	// On success, set username if multiUser, loggedIn to true and redirect
 	if (generateHash(strClean($_POST['password']),$ICEcoder["password"])==$ICEcoder["password"]) {
+		session_regenerate_id();
 		if ($ICEcoder["multiUser"]) {
 			$_SESSION['username'] = $_POST['username'];
 		}