From 9f9fe2f345938a39409d4ad2d4153083742d5c8d Mon Sep 17 00:00:00 2001
From: Joseph Magen <jmagen@redhat.com>
Date: Sun, 9 Mar 2014 16:55:38 +0200
Subject: [PATCH] fixes #4457 - Session fixation, new session IDs are not generated on login

---
 app/controllers/users_controller.rb |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8e81dce..79ed8b5 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -62,8 +62,8 @@ class UsersController < ApplicationController
   # Called from the login form.
   # Stores the user id in the session and redirects required URL or default homepage
   def login
-    session[:user] = User.current = nil
-    session[:locale] = nil
+    User.current = nil
+    reset_session
     if request.post?
       user = User.try_to_login(params[:login]['login'].downcase, params[:login]['password'])
       if user.nil?
-- 
1.7.1