Reset Session ID on login (#18018)

* Reset Session ID on login

When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* with new session.RegenerateID function

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update go-chi/session

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Ensure that session id is changed after oauth data is set and between account linking pages too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* placate lint

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>

vendor/gitea.com/go-chi/session/session.go

@@ -260,7 +260,7 @@ func Sessioner(options ...Options) func(next http.Handler) http.Handler {
 				return
 			}
 
-			if err = sess.Release(); err != nil {
+			if err = s.RawStore.Release(); err != nil {
 				panic("session(release): " + err.Error())
 			}
 		})
@@ -274,6 +274,26 @@ func GetSession(req *http.Request) Store {
 	return sess
 }
 
+// RegenerateSession
+func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, error) {
+	sess, ok := GetSession(req).(*store)
+	if !ok {
+		return nil, fmt.Errorf("no session in request context")
+	}
+
+	oldRawStore := sess.RawStore
+	if err := oldRawStore.Release(); err != nil {
+		return nil, err
+	}
+
+	store, err := sess.RegenerateID(resp, req)
+	if err != nil {
+		return nil, err
+	}
+	sess.RawStore = store
+	return sess, nil
+}
+
 // Provider is the interface that provides session manipulations.
 type Provider interface {
 	// Init initializes session provider.

vendor/modules.txt

@@ -18,7 +18,7 @@ gitea.com/go-chi/cache/memcache
 # gitea.com/go-chi/captcha v0.0.0-20211013065431-70641c1a35d5
 ## explicit
 gitea.com/go-chi/captcha
-# gitea.com/go-chi/session v0.0.0-20211013065435-7d334f340c09
+# gitea.com/go-chi/session v0.0.0-20211218221615-e3605d8b28b8
 ## explicit
 gitea.com/go-chi/session
 gitea.com/go-chi/session/couchbase