From 3f63b6bf00a7e36279c9c4f0a836e053782ad4d1 Mon Sep 17 00:00:00 2001
From: Arthur Cinader <700572+acinader@users.noreply.github.com>
Date: Fri, 28 Sep 2018 16:57:15 -0700
Subject: [PATCH 1/6] Regenerate session id when changing the current user to
 avoid session fixation.

---
 src/Parse/ParseUser.php                  |  4 ++
 tests/Parse/ParseSessionFixationTest.php | 66 ++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 tests/Parse/ParseSessionFixationTest.php

diff --git a/src/Parse/ParseUser.php b/src/Parse/ParseUser.php
index e559b176..57b35c07 100644
--- a/src/Parse/ParseUser.php
+++ b/src/Parse/ParseUser.php
@@ -500,6 +500,10 @@ protected function handleSaveResult($makeCurrent = false)
             unset($this->serverData['sessionToken']);
         }
         if ($makeCurrent) {
+            if (session_id()) {
+                // see: https://www.owasp.org/index.php/Session_fixation
+                session_regenerate_id();
+            }
             static::$currentUser = $this;
             static::saveCurrentUser();
         }
diff --git a/tests/Parse/ParseSessionFixationTest.php b/tests/Parse/ParseSessionFixationTest.php
new file mode 100644
index 00000000..93641c63
--- /dev/null
+++ b/tests/Parse/ParseSessionFixationTest.php
@@ -0,0 +1,66 @@
+<?php
+namespace Parse\Test;
+
+use Parse\ParseClient;
+use Parse\ParseUser;
+use Parse\ParseSession;
+
+class ParseSessionFixationTest extends \PHPUnit_Framework_TestCase
+{
+
+    public static function setUpBeforeClass()
+    {
+        Helper::clearClass(ParseUser::$parseClassName);
+        Helper::clearClass(ParseSession::$parseClassName);
+        ParseUser::logout();
+        ParseClient::_unsetStorage();
+
+        // indicate we should not use cookies
+        ini_set("session.use_cookies", 0);
+        // indicate we can use something other than cookies
+        ini_set("session.use_only_cookies", 0);
+        // enable transparent sid support, for url based sessions
+        ini_set("session.use_trans_sid", 1);
+        // clear cache control for session pages
+        ini_set("session.cache_limiter", "");
+        session_start();
+        Helper::setUp();
+    }
+
+    public function tearDown()
+    {
+        Helper::tearDown();
+        Helper::clearClass(ParseUser::$parseClassName);
+        Helper::clearClass(ParseSession::$parseClassName);
+        ParseUser::logout();
+    }
+
+    public static function tearDownAfterClass()
+    {
+        session_destroy();
+    }
+
+    public function testCookieIdChangedForAnonymous()
+    {
+        ParseClient::getStorage()->set('test', 'hi');
+        $noUserSessionId = session_id();
+        $user = ParseUser::loginWithAnonymous();
+        $anonymousSessionId = session_id();
+        $this->assertNotEquals($noUserSessionId, $anonymousSessionId);
+        $this->assertEquals(ParseClient::getStorage()->get('test'), 'hi');
+    }
+
+    public function testCookieIdChangedForAnonymousToRegistered()
+    {
+        $user = ParseUser::loginWithAnonymous();
+        $anonymousSessionId = session_id();
+        ParseClient::getStorage()->set('test', 'hi');
+        $user->setUsername('testy');
+        $user->setPassword('testy');
+        $user->save();
+        $user->login('testy', 'testy');
+        $registeredSessionId = session_id();
+        $this->assertNotEquals($anonymousSessionId, $registeredSessionId);
+        $this->assertEquals(ParseClient::getStorage()->get('test'), 'hi');
+    }
+}

From 27a608d06203ff5f366523fb0471fd40b7ba1fea Mon Sep 17 00:00:00 2001
From: Arthur Cinader <700572+acinader@users.noreply.github.com>
Date: Tue, 9 Oct 2018 13:40:54 -0700
Subject: [PATCH 2/6] Add to info about session regenerate to the readme.

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 56a40f1d..b5962b8f 100644
--- a/README.md
+++ b/README.md
@@ -288,6 +288,10 @@ try {
 // Current user
 $user = ParseUser::getCurrentUser();
 ```
+#### Session Id and Session Fixation
+In an attempt to avoid [session fixation exploits](https://www.owasp.org/index.php/Session_fixation), the PHP SDK will call [`session_regenerate_id()`](http://php.net/manual/en/function.session-regenerate-id.php) when a session's permissions are elevated (since 1.5.0).  In practice this means that `session_regenerate_id()` will be called when a session goes from no user, to anonymous user; or from no user or anonymous user to registered user.
+
+Changing the PHP session id should have no impact on the contents of the session and state should me maintained for a user that was anonymous and becomes registered.
 
 #### Verification Emails
 

From 6c49ba13d82581c9289b62adeeab8f6b4c5a0450 Mon Sep 17 00:00:00 2001
From: Arthur Cinader <700572+acinader@users.noreply.github.com>
Date: Mon, 3 Dec 2018 18:39:38 -0800
Subject: [PATCH 3/6] Add to changelog

---
 CHANGELOG.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 60ac4141..82e150d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,8 +13,9 @@
 - Adds Purge & Polygon to ParseSchema (#365)
 - Adds Parse Server Health Check (#366)
 - Adds the ability to upgrade to a revocable session (#368)
+- Avoid session fixation exploit by regenerating session id's (#414)
 - Adds ability to Request Verification Emails (#369)
-- Adds the ability to set/save in `ParseConfig` (#371) 
+- Adds the ability to set/save in `ParseConfig` (#371)
 - Adds `ParseLogs` (#370)
 - Adds `ParseAudience` (#372)
 - Adds jobs to `ParseCloud` (#373)
@@ -40,7 +41,7 @@
 
 - Updates to make the sdk friendly with `phpdoc`
 - Added **Getting Started** section to README
-- Removed the default server and mount path for `api.parse.com` 
+- Removed the default server and mount path for `api.parse.com`
 - Setup `phpdoc` style enforcing and autodeploy from most recent `master` for our [api ref](http://parseplatform.org/parse-php-sdk/namespaces/Parse.html)
 - **jms/serializer** pinned to **1.7.1** for testing as mentioned in #336 (for phpdoc)
 - Added **ParsePolygon** type and `polygonContains` to **ParseQuery** (thanks to [Diamond Lewis](https://github.com/dplewis))
@@ -266,4 +267,4 @@
 - Updated visibility of `ParseObject::_isDirty` to `protected` (thanks to [Fosco Marotto](https://github.com/gfosco))
 
 ### 1.0.0
-- Initial release! (thanks to [Fosco Marotto](https://github.com/gfosco))
\ No newline at end of file
+- Initial release! (thanks to [Fosco Marotto](https://github.com/gfosco))

From 46549d409c4531f5e247e52949ebf03f55a33e55 Mon Sep 17 00:00:00 2001
From: Arthur Cinader <700572+acinader@users.noreply.github.com>
Date: Tue, 4 Dec 2018 09:00:02 -0800
Subject: [PATCH 4/6] add table of contents link.

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index b5962b8f..43545767 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,7 @@ Please note that this documentation contains the latest changes that may as of y
     - [Use Declarations](#use-declarations)
     - [Parse Objects](#parse-objects)
     - [Users](#users)
+        - [Session Id and Session Fixation](#session-id-and-session-fixation)
         - [Verification Emails](#verification-emails)
     - [ACLs/Security](#acls)
     - [Queries](#queries)

From 04ce1c61ff9e00384f4fd4674c403b4544d0b29d Mon Sep 17 00:00:00 2001
From: Diamond Lewis <findlewis@gmail.com>
Date: Wed, 5 Dec 2018 10:00:38 -0600
Subject: [PATCH 5/6] Update CHANGELOG.md

---
 CHANGELOG.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82e150d7..caaae387 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,6 @@
 - Adds Purge & Polygon to ParseSchema (#365)
 - Adds Parse Server Health Check (#366)
 - Adds the ability to upgrade to a revocable session (#368)
-- Avoid session fixation exploit by regenerating session id's (#414)
 - Adds ability to Request Verification Emails (#369)
 - Adds the ability to set/save in `ParseConfig` (#371)
 - Adds `ParseLogs` (#370)

From 4bdd04e1b9a0d8f457adf431c3900ca43e4ac6d4 Mon Sep 17 00:00:00 2001
From: Diamond Lewis <findlewis@gmail.com>
Date: Wed, 5 Dec 2018 10:07:37 -0600
Subject: [PATCH 6/6] Update README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 43545767..5174f79b 100644
--- a/README.md
+++ b/README.md
@@ -290,9 +290,9 @@ try {
 $user = ParseUser::getCurrentUser();
 ```
 #### Session Id and Session Fixation
-In an attempt to avoid [session fixation exploits](https://www.owasp.org/index.php/Session_fixation), the PHP SDK will call [`session_regenerate_id()`](http://php.net/manual/en/function.session-regenerate-id.php) when a session's permissions are elevated (since 1.5.0).  In practice this means that `session_regenerate_id()` will be called when a session goes from no user, to anonymous user; or from no user or anonymous user to registered user.
+In an attempt to avoid [session fixation exploits](https://www.owasp.org/index.php/Session_fixation), the PHP SDK will call [`session_regenerate_id()`](http://php.net/manual/en/function.session-regenerate-id.php) when a session's permissions are elevated (since 1.5.0).  In practice this means that `session_regenerate_id()` will be called when a session goes from no user to anonymous user or from no user / anonymous user to registered user.
 
-Changing the PHP session id should have no impact on the contents of the session and state should me maintained for a user that was anonymous and becomes registered.
+Changing the PHP session id should have no impact on the contents of the session and state should be maintained for a user that was anonymous and becomes registered.
 
 #### Verification Emails