From: Michael M Slusarz <slusarz@curecanti.org>
Date: Tue, 16 Nov 2010 08:00:34 +0000 (-0700)
Subject: Get a clean session in a centralized location
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=1dc26f480923ffd765a0b2e24699656c5b5ee8c0;p=horde.git

Get a clean session in a centralized location
---

diff --git a/framework/Core/lib/Horde/Core/Auth/Application.php b/framework/Core/lib/Horde/Core/Auth/Application.php
index 12b43604a..e2ea92cf1 100644
--- a/framework/Core/lib/Horde/Core/Auth/Application.php
+++ b/framework/Core/lib/Horde/Core/Auth/Application.php
@@ -292,14 +292,7 @@ class Horde_Core_Auth_Application extends Horde_Auth_Base
         if ($this->_base) {
             $result = $this->_base->transparent();
         } elseif ($this->hasCapability('transparent')) {
-            if ($result = $registry->callAppMethod($this->_app, $this->_apiMethods['transparent'], array('args' => array($this), 'noperms' => true)) &&
-                $is_auth) {
-                /* Only clean session if we were successfully authenticated
-                 * into Horde via transparent auth. Have to wait until after
-                 * we check transparent auth or else we would blow away guest
-                 * sessions.  See Bug #9311. */
-                $registry->getCleanSession();
-            }
+            $result = $registry->callAppMethod($this->_app, $this->_apiMethods['transparent'], array('args' => array($this), 'noperms' => true));
         } else {
             /* If this application contains neither transparent nor
              * authenticate capabilities, it does not require any
@@ -564,6 +557,12 @@ class Horde_Core_Auth_Application extends Horde_Auth_Base
             return true;
         }
 
+        /* Destroy any existing session on login and make sure to use a
+         * new session ID, to avoid session fixation issues. */
+        if (!$GLOBALS['registry']->getAuth()) {
+            $GLOBALS['registry']->getCleanSession();
+        }
+
         $userId = $this->getCredential('userId');
         $credentials = $this->getCredential('credentials');
 
diff --git a/horde/login.php b/horde/login.php
index 249dd7d10..bae68bb84 100644
--- a/horde/login.php
+++ b/horde/login.php
@@ -158,12 +158,6 @@ if ($logout_reason) {
     $_GET['new_lang'] = $language;
 } elseif (Horde_Util::getPost('login_post') ||
           Horde_Util::getPost('login_button')) {
-    if (!$is_auth) {
-        /* Destroy any existing session on login and make sure to use a
-         * new session ID, to avoid session fixation issues. */
-        $registry->getCleanSession();
-    }
-
     /* Get the login params from the login screen. */
     $auth_params = array(
         'password' => Horde_Util::getPost('horde_pass')