From 298f61521c55b07e5c898a92264dbe111735a87a Mon Sep 17 00:00:00 2001
From: Daniel Hensby <dhensby@silverstripe.com>
Date: Fri, 15 Jul 2016 11:49:02 +0100
Subject: [PATCH] [SS-2016-008] Reset `Member::Salt` on password change

---
 security/Member.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/security/Member.php b/security/Member.php
index 23c771a3e56..f8a2bf18526 100644
--- a/security/Member.php
+++ b/security/Member.php
@@ -786,8 +786,8 @@ public static function currentUserID() {
 	 * @return string Returns a random password.
 	 */
 	public static function create_new_password() {
-		if(file_exists(Security::get_word_list())) {
-			$words = file(Security::get_word_list());
+		if(file_exists(Security::config()->word_list)) {
+			$words = file(Security::config()->word_list);
 
 			list($usec, $sec) = explode(' ', microtime());
 			srand($sec + ((float) $usec * 100000));
@@ -799,7 +799,7 @@ public static function create_new_password() {
 		} else {
 			$random = rand();
 			$string = md5($random);
-			$output = substr($string, 0, 6);
+			$output = substr($string, 0, 8);
 			return $output;
 		}
 	}
@@ -858,6 +858,9 @@ public function onBeforeWrite() {
 		// Note that this only works with cleartext passwords, as we can't rehash
 		// existing passwords.
 		if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
+			//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
+			// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
+			$this->Salt = '';
 			// Password was changed: encrypt the password according the settings
 			$encryption_details = Security::encrypt_password(
 				$this->Password, // this is assumed to be cleartext