Reset Session ID on login (#18018)

* Reset Session ID on login When logging in the SessionID should be reset and the session cleaned up. Signed-off-by: Andrew Thornton <art27@cantab.net> * with new session.RegenerateID function Signed-off-by: Andrew Thornton <art27@cantab.net> * update go-chi/session Signed-off-by: Andrew Thornton <art27@cantab.net> * Ensure that session id is changed after oauth data is set and between account linking pages too Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net> * as per review Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-20 14:12:26 +00:00 · 2021-12-20 14:12:26 +00:00 · bcc13f3889
commit bcc13f3889
parent 2cd1479e77
9 changed files with 121 additions and 11 deletions
--- a/services/auth/source/oauth2/store.go
+++ b/services/auth/source/oauth2/store.go
@ -55,6 +55,7 @@ func (st *SessionsStore) getOrNew(r *http.Request, name string, override bool) (
 		}
 	}

+	session.IsNew = override
 	session.ID = chiStore.ID() // Simply copy the session id from the chi store

 	return session, chiStore.Set(name, session)
@ -64,6 +65,11 @@ func (st *SessionsStore) getOrNew(r *http.Request, name string, override bool) (
 func (st *SessionsStore) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
 	chiStore := chiSession.GetSession(r)

+	if session.IsNew {
+		_, _ = chiSession.RegenerateSession(w, r)
+		session.IsNew = false
+	}
+
 	if err := chiStore.Set(session.Name(), session); err != nil {
 		return err
 	}