From 068688063eb660d35ee0dca8d3ceb53d2f243bbe Mon Sep 17 00:00:00 2001
From: NARUKAWA Hiroki <nhirokinet@nhiroki.net>
Date: Fri, 20 Dec 2013 03:38:51 +0900
Subject: [PATCH 1/2] Security Update: session fixation

Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
---
 lib/private/user/session.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/private/user/session.php b/lib/private/user/session.php
index c2885d0041..67cfdf2624 100644
--- a/lib/private/user/session.php
+++ b/lib/private/user/session.php
@@ -157,6 +157,7 @@ class Session implements Emitter, \OCP\IUserSession {
 		if($user !== false) {
 			if (!is_null($user)) {
 				if ($user->isEnabled()) {
+					session_regenerate_id(true);
 					$this->setUser($user);
 					$this->setLoginname($uid);
 					$this->manager->emit('\OC\User', 'postLogin', array($user, $password));

From c2e2c59ca7aa873bd07de04ea701a8b351383aec Mon Sep 17 00:00:00 2001
From: nhirokinet <nhirokinet@nhiroki.net>
Date: Sun, 22 Dec 2013 01:31:04 +0900
Subject: [PATCH 2/2] Update user.php to fix duplicate session-duplicate

---
 lib/private/user.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/private/user.php b/lib/private/user.php
index e0d6b9f3f5..e6f42874b9 100644
--- a/lib/private/user.php
+++ b/lib/private/user.php
@@ -243,7 +243,6 @@ class OC_User {
 		OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $uid ));
 
 		if($uid) {
-			session_regenerate_id(true);
 			self::setUserId($uid);
 			self::setDisplayName($uid);
 			OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>'' ));