Commit 8fda542b authored by Côme Bernigaud's avatar Côme Bernigaud Committed by Benoit Mortier
Browse files

Fixes #3263 Fixed vulnerability in user expiration system

parent 67794705
......@@ -316,7 +316,6 @@ if (($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) || $htacces
/* Save userinfo and plugin structure */
session::global_set('ui', $ui);
session::global_set('session_cnt', 0);
/* Let FusionDirectory trigger a new connection for each POST, save config to session. */
session::global_set('config', $config);
......@@ -339,6 +338,7 @@ if (($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) || $htacces
/* Not account expired or password forced change go to main page */
new log("security", "login", "", array(), "User \"$username\" logged in successfully");
session::global_set('connected', 1);
$config->checkLdapConfig(); // check that newly installed plugins have their configuration in the LDAP
header ("Location: main.php?global_check=1");
exit;
......
......@@ -48,7 +48,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
@DEBUG (DEBUG_SESSION, __LINE__, __FUNCTION__, __FILE__, session::get_all(), "_SESSION");
/* Logged in? Simple security check */
if (!session::global_is_set('config')) {
if (!session::global_is_set('connected')) {
new log("security", "login", "", array(), "main.php called without session - logging out");
header ("Location: logout.php");
exit;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment