Regenerate session id when

changing the current user to avoid
session fixation.

src/Parse/ParseUser.php

@@ -500,6 +500,10 @@ protected function handleSaveResult($makeCurrent = false)
             unset($this->serverData['sessionToken']);
         }
         if ($makeCurrent) {
+            if (session_id()) {
+                // see: https://www.owasp.org/index.php/Session_fixation
+                session_regenerate_id();
+            }
             static::$currentUser = $this;
             static::saveCurrentUser();
         }

tests/Parse/ParseSessionFixationTest.php

@@ -0,0 +1,66 @@
+<?php
+namespace Parse\Test;
+
+use Parse\ParseClient;
+use Parse\ParseUser;
+use Parse\ParseSession;
+
+class ParseSessionFixationTest extends \PHPUnit_Framework_TestCase
+{
+
+    public static function setUpBeforeClass()
+    {
+        Helper::clearClass(ParseUser::$parseClassName);
+        Helper::clearClass(ParseSession::$parseClassName);
+        ParseUser::logout();
+        ParseClient::_unsetStorage();
+
+        // indicate we should not use cookies
+        ini_set("session.use_cookies", 0);
+        // indicate we can use something other than cookies
+        ini_set("session.use_only_cookies", 0);
+        // enable transparent sid support, for url based sessions
+        ini_set("session.use_trans_sid", 1);
+        // clear cache control for session pages
+        ini_set("session.cache_limiter", "");
+        session_start();
+        Helper::setUp();
+    }
+
+    public function tearDown()
+    {
+        Helper::tearDown();
+        Helper::clearClass(ParseUser::$parseClassName);
+        Helper::clearClass(ParseSession::$parseClassName);
+        ParseUser::logout();
+    }
+
+    public static function tearDownAfterClass()
+    {
+        session_destroy();
+    }
+
+    public function testCookieIdChangedForAnonymous()
+    {
+        ParseClient::getStorage()->set('test', 'hi');
+        $noUserSessionId = session_id();
+        $user = ParseUser::loginWithAnonymous();
+        $anonymousSessionId = session_id();
+        $this->assertNotEquals($noUserSessionId, $anonymousSessionId);
+        $this->assertEquals(ParseClient::getStorage()->get('test'), 'hi');
+    }
+
+    public function testCookieIdChangedForAnonymousToRegistered()
+    {
+        $user = ParseUser::loginWithAnonymous();
+        $anonymousSessionId = session_id();
+        ParseClient::getStorage()->set('test', 'hi');
+        $user->setUsername('testy');
+        $user->setPassword('testy');
+        $user->save();
+        $user->login('testy', 'testy');
+        $registeredSessionId = session_id();
+        $this->assertNotEquals($anonymousSessionId, $registeredSessionId);
+        $this->assertEquals(ParseClient::getStorage()->get('test'), 'hi');
+    }
+}