From 3f29e2430bf43fb0863227273e0e2874187f30ce Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 27 Jan 2011 13:40:57 +0000
Subject: [PATCH] [root] expire session when logging in

This prevent session fixation attacks. To make it work we had to move
the call to the method init_session() from the identity store backend.
---
 authentic/root.ptl | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/authentic/root.ptl b/authentic/root.ptl
index 930c911..3c49404 100644
--- a/authentic/root.ptl
+++ b/authentic/root.ptl
@@ -597,12 +597,13 @@ class RootDirectory(Directory):
                         account.username.replace('\n', ' ').replace('\r', ' ')))
             raise LoginError()
 
-        identities.get_store().init_session(get_session(), account)
         if get_request().environ.get('HTTPS') == 'on':
             authentication_method = 'password-on-https'
         else:
             authentication_method = 'password'
-        return self.login_success(identity.id, authentication_method)
+        result = self.login_success(identity.id, authentication_method)
+        identities.get_store().init_session(get_session(), account)
+        return result
 
     def login_cancel(self):
         login_token_id = get_field('LoginToken')
@@ -631,6 +632,7 @@ class RootDirectory(Directory):
 
     def login_success(self, user, method):
         # Setup current session
+        get_session_manager().expire_session()
         get_session().set_user(user)
         get_session().authentication_method = method
         get_request().user = user