dear cryptorush "devs". you copied your website from my openex beta source code. you should take the website down immediately.
at the very least, you need to do the following:
find on login php where the $loggedInUser Object is created for the loggedinuser class. prior to setting the session add this line.
session_regenerate_id(true);
as a quick fix you can cut/paste this into config.php of the models directory, however for performance and the sake of doing it the "right way", these values should be set in php.ini
the real way to prevent session fixation and hijacking in php
ini_set('session.cookie_httponly', 1);//prevent hijacking
ini_set('session.entropy_file', '/dev/urandom');//choose a source to pull entropy from
ini_set('session.entropy_length', 16);//integer amount in bytes to read from dev/random
ini_set('session.hash_function', 'sha256');//prevents fixation as bruteforcing is pointless at this point.
for your sake, i hope you switched to bcrypt or mcrypt for password hashing as well.
I'm not trying to be rude, but the code is full of race conditions and lacks any protection against sql injection. it also doesn't use transactions. you will have a constant nightmare as long as you use that source code. for the sake of your users, take the site down, pay someone to fix it or wait until i've finished with the new openex source code before someone loses big money and sues your ass.
also, your source code is likely vulnerable to malleated transactions unless you added a secondary table to check against changes in tx hash for the same amount/account timestamp. this is an issue that was brought to my attention earlier today. there is much more. if you would like to talk you know where to find me.
