From fac5bf86621ff96fc02135c0b74a3b18c852979e Mon Sep 17 00:00:00 2001
From: Andrey Grinenko <andrey012@gmail.com>
Date: Sat, 21 Feb 2015 02:58:44 +0300
Subject: [PATCH] session fixation fix - previous version did not let me in,
 because it regenerated session before even trying to start old one and check
 whether it is valid or not. I've also added session regeneration on login,
 which is good practice to prevent session fixation.

---
 lib/settings-common.php | 4 +++-
 lib/settings.php        | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/settings-common.php b/lib/settings-common.php
index d38422c..5f59217 100644
--- a/lib/settings-common.php
+++ b/lib/settings-common.php
@@ -32,8 +32,10 @@ if(!isset($_SESSION)) {
 	if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
 		ini_set('session.cookie_secure','1');			// Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition 
 	}
+	@session_start();						// Finally, start the session!
+	if (!isset($_SESSION['csrf'])){
         session_regenerate_id(true);					// Create a new ID to help prevent fixation
-        @session_start();						// Finally, start the session!
+	}
 }
 
 // Set the language file, if now possible
diff --git a/lib/settings.php b/lib/settings.php
index 495457a..9c206a2 100644
--- a/lib/settings.php
+++ b/lib/settings.php
@@ -106,6 +106,7 @@ if (!isset($_SESSION['username'])) {$_SESSION['username'] = false;};
 if(isset($_POST['submit']) && $setPWorLogin=="login") {
 	// On success, set username if multiUser, loggedIn to true and redirect
 	if (generateHash(strClean($_POST['password']),$ICEcoder["password"])==$ICEcoder["password"]) {
+		session_regenerate_id();
 		if ($ICEcoder["multiUser"]) {
 			$_SESSION['username'] = $_POST['username'];
 		}