[root] expire session when logging in

This prevent session fixation attacks. To make it work we had to move the call to the method init_session() from the identity store backend.
2011-01-27 13:40:57 +00:00 · 2011-01-27 13:40:57 +00:00 · 3f29e2430b
parent ab9e981d03
commit 3f29e2430b
1 changed files with 4 additions and 2 deletions
--- a/authentic/root.ptl
+++ b/authentic/root.ptl
@ -597,12 +597,13 @@ class RootDirectory(Directory):
                        account.username.replace('\n', ' ').replace('\r', ' ')))
            raise LoginError()

-        identities.get_store().init_session(get_session(), account)
        if get_request().environ.get('HTTPS') == 'on':
            authentication_method = 'password-on-https'
        else:
            authentication_method = 'password'
-        return self.login_success(identity.id, authentication_method)
+        result = self.login_success(identity.id, authentication_method)
+        identities.get_store().init_session(get_session(), account)
+        return result

    def login_cancel(self):
        login_token_id = get_field('LoginToken')
@ -631,6 +632,7 @@ class RootDirectory(Directory):

    def login_success(self, user, method):
        # Setup current session
+        get_session_manager().expire_session()
        get_session().set_user(user)
        get_session().authentication_method = method
        get_request().user = user