Bug #4457 » 0002-fixes-4457-Session-fixation-new-session-IDs-are-not-.patch
app/controllers/users_controller.rb | ||
---|---|---|
# Called from the login form.
|
||
# Stores the user id in the session and redirects required URL or default homepage
|
||
def login
|
||
session[:user] = User.current = nil
|
||
session[:locale] = nil
|
||
User.current = nil
|
||
if request.post?
|
||
reset_and_save_session
|
||
user = User.try_to_login(params[:login]['login'].downcase, params[:login]['password'])
|
||
if user.nil?
|
||
#failed to authenticate, and/or to generate the account on the fly
|
||
... | ... | |
def extlogin
|
||
if session[:user]
|
||
reset_and_save_session
|
||
user = User.find_by_id(session[:user])
|
||
login_user(user)
|
||
end
|
||
end
|
||
def reset_and_save_session
|
||
save_original_uri = {:original_uri => session[:original_uri]}
|
||
reset_session
|
||
session.merge!(save_original_uri) if save_original_uri
|
||
end
|
||
# Called from the logout link
|
||
# Clears the rails session and redirects to the login action
|
||
def logout
|