[root] expire session when logging in
This prevent session fixation attacks. To make it work we had to move the call to the method init_session() from the identity store backend.
This commit is contained in:
parent
ab9e981d03
commit
3f29e2430b
|
@ -597,12 +597,13 @@ class RootDirectory(Directory):
|
|||
account.username.replace('\n', ' ').replace('\r', ' ')))
|
||||
raise LoginError()
|
||||
|
||||
identities.get_store().init_session(get_session(), account)
|
||||
if get_request().environ.get('HTTPS') == 'on':
|
||||
authentication_method = 'password-on-https'
|
||||
else:
|
||||
authentication_method = 'password'
|
||||
return self.login_success(identity.id, authentication_method)
|
||||
result = self.login_success(identity.id, authentication_method)
|
||||
identities.get_store().init_session(get_session(), account)
|
||||
return result
|
||||
|
||||
def login_cancel(self):
|
||||
login_token_id = get_field('LoginToken')
|
||||
|
@ -631,6 +632,7 @@ class RootDirectory(Directory):
|
|||
|
||||
def login_success(self, user, method):
|
||||
# Setup current session
|
||||
get_session_manager().expire_session()
|
||||
get_session().set_user(user)
|
||||
get_session().authentication_method = method
|
||||
get_request().user = user
|
||||
|
|
Reference in New Issue