From ccc18b4b1cfc754e3367c7a60a4b7d9a71e28cc2 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Wed, 07 Aug 2019 15:13:32 +0000
Subject: [PATCH] Regenerate session ID before setting authentication data

---
 uphpCAS.php |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/uphpCAS.php b/uphpCAS.php
index 77ba8d3..1633119 100644
--- a/uphpCAS.php
+++ b/uphpCAS.php
@@ -122,10 +122,14 @@
 			.($returnUrl ? '?service='.urlencode($returnUrl) : '');
 	}
 	
-	public function logout($returnUrl = NULL) {
+	public function logoutLocal() {
 		@session_start();
+		unset($_SESSION[$this->sessionName]);
+	}
+	
+	public function logout($returnUrl = NULL) {
+		$this->logoutLocal();
 		if($this->isAuthenticated()) {
-			unset($_SESSION[$this->sessionName]);
 			header('Location: '.$this->logoutUrl($returnUrl));
 			die();
 		} elseif($returnUrl) {
@@ -144,6 +148,7 @@
 			return $_SESSION[$this->sessionName];
 		} elseif(isset($_REQUEST['ticket'])) {
 			$user = $this->verifyTicket($_REQUEST['ticket']);
+			session_regenerate_id();
 			$_SESSION[$this->sessionName] = $user;
 			return $user;
 		} else {

--
Gitblit v1.9.1