N°1835 fix transaction_id lost with session

* transaction_id are now stored by default in file instead of session ("transaction_storage" config parameter : default value was 'Session', it is now 'File') * session_regenerate_id() call can be disabled using "regenerate_session_id_enabled" config parameter * new 'transaction_id' parameter type to allow dots (with a file storage, transaction_id equals the temp file name and on Windows we're getting *.tmp)
2026-04-24 11:08:45 +02:00 · 2018-12-10 17:07:32 +01:00
parent bd082c0a6e
commit 36d47c2274
11 changed files with 57 additions and 28 deletions
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -993,7 +993,7 @@ class Config
 		'transaction_storage' => array(
 			'type' => 'string',
 			'description' => 'The type of mechanism to use for storing the unique identifiers for transactions (Session|File).',
-			'default' => 'Session',
+			'default' => 'File',
 			'value' => '',
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
@@ -1150,6 +1150,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		),
+		'regenerate_session_id_enabled' => array(
+			'type' => 'bool',
+			'description' => 'If true then session id will be regenerated on each login, to prevent session fixation.',
+			'default' => true,
+			'value' => true,
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		),
 	);

 	public function IsProperty($sPropCode)
--- a/core/inlineimage.class.inc.php
+++ b/core/inlineimage.class.inc.php
@@ -161,7 +161,7 @@ class InlineImage extends DBObject
 	 */
 	public static function FinalizeInlineImages(DBObject $oObject)
 	{
-		$iTransactionId = utils::ReadParam('transaction_id', null);
+		$iTransactionId = utils::ReadParam('transaction_id', null, false, 'transaction_id');
 		if (!is_null($iTransactionId))
 		{
 			// Attach new (temporary) inline images
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -1331,15 +1331,24 @@ class UserRights
 		{
 			$_SESSION['profile_list'] = self::ListProfiles();
 		}
-		// Protection against session fixation/injection: generate a new session id.
-		
-		// Alas a PHP bug (technically a bug in the memcache session handler, https://bugs.php.net/bug.php?id=71187)
-		// causes session_regenerate_id to fail with a catchable fatal error in PHP 7.0 if the session handler is memcache(d).
-		// The bug has been fixed in PHP 7.2, but in case session_regenerate_id()
-		// fails we just silently ignore the error and keep the same session id...
-		$old_error_handler = set_error_handler(array(__CLASS__, 'VoidErrorHandler'));
-		session_regenerate_id();
-		if ($old_error_handler !== null) set_error_handler($old_error_handler);
+
+		$oConfig = MetaModel::GetConfig();
+		$bSessionIdRegeneration = $oConfig->Get('regenerate_session_id_enabled');
+		if ($bSessionIdRegeneration)
+		{
+			// Protection against session fixation/injection: generate a new session id.
+
+			// Alas a PHP bug (technically a bug in the memcache session handler, https://bugs.php.net/bug.php?id=71187)
+			// causes session_regenerate_id to fail with a catchable fatal error in PHP 7.0 if the session handler is memcache(d).
+			// The bug has been fixed in PHP 7.2, but in case session_regenerate_id()
+			// fails we just silently ignore the error and keep the same session id...
+			$old_error_handler = set_error_handler(array(__CLASS__, 'VoidErrorHandler'));
+			session_regenerate_id();
+			if ($old_error_handler !== null)
+			{
+				set_error_handler($old_error_handler);
+			}
+		}
 	}

 	public static function _ResetSessionCache()