The php documentation states that an empty string should be used for a cookie when it has no real value.
null leads to the following error: expects parameter 2 to be string, null given
Signed-off-by: Martin Böh <mart.b@outlook.de>
Sometimes when we force a session regeneration we want to update the
current token for this session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Treat PHP Errors on User session regenerate
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
remove unnecessary lines…
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
change PHP errors to ErrorException in the session (PHP >=7)
Otherwise it might be that authentication apps are being disabled on
during operation while in fact the session handler has hiccup.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
This is a hacky way to allow the use case of #1303.
What happens is
1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token
This is kind of hacky but I don't think it introduces new attack
vectors.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
MartB
Roeland Jago Douma
Morris Jobke
Lukas Reschke
Arthur Schiwon
Victor Dubiniuk
Joas Schilling
Lukas Reschke
Christoph Wurst
Roeland Jago Douma