Reset Session ID on login (#18018)

* Reset Session ID on login When logging in the SessionID should be reset and the session cleaned up. Signed-off-by: Andrew Thornton <art27@cantab.net> * with new session.RegenerateID function Signed-off-by: Andrew Thornton <art27@cantab.net> * update go-chi/session Signed-off-by: Andrew Thornton <art27@cantab.net> * Ensure that session id is changed after oauth data is set and between account linking pages too Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net> * as per review Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-20 14:12:26 +00:00 · 2021-12-20 14:12:26 +00:00 · bcc13f3889
commit bcc13f3889
parent 2cd1479e77
9 changed files with 121 additions and 11 deletions
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 )
@ -106,6 +107,14 @@ func isGitRawReleaseOrLFSPath(req *http.Request) bool {

 // handleSignIn clears existing session variables and stores new ones for the specified user object
 func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore, user *user_model.User) {
+	// We need to regenerate the session...
+	newSess, err := session.RegenerateSession(resp, req)
+	if err != nil {
+		log.Error(fmt.Sprintf("Error regenerating session: %v", err))
+	} else {
+		sess = newSess
+	}
+
 	_ = sess.Delete("openid_verified_uri")
 	_ = sess.Delete("openid_signin_remember")
 	_ = sess.Delete("openid_determined_email")
@ -114,7 +123,7 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
 	_ = sess.Delete("twofaRemember")
 	_ = sess.Delete("u2fChallenge")
 	_ = sess.Delete("linkAccount")
-	err := sess.Set("uid", user.ID)
+	err = sess.Set("uid", user.ID)
 	if err != nil {
 		log.Error(fmt.Sprintf("Error setting session: %v", err))
 	}
--- a/services/auth/source/oauth2/store.go
+++ b/services/auth/source/oauth2/store.go
@ -55,6 +55,7 @@ func (st *SessionsStore) getOrNew(r *http.Request, name string, override bool) (
 		}
 	}

+	session.IsNew = override
 	session.ID = chiStore.ID() // Simply copy the session id from the chi store

 	return session, chiStore.Set(name, session)
@ -64,6 +65,11 @@ func (st *SessionsStore) getOrNew(r *http.Request, name string, override bool) (
 func (st *SessionsStore) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
 	chiStore := chiSession.GetSession(r)

+	if session.IsNew {
+		_, _ = chiSession.RegenerateSession(w, r)
+		session.IsNew = false
+	}
+
 	if err := chiStore.Set(session.Name(), session); err != nil {
 		return err
 	}