Project

General

Profile

Bug #4457 » 0002-fixes-4457-Session-fixation-new-session-IDs-are-not-.patch

Joseph Magen, 03/17/2014 08:30 AM

View differences:

app/controllers/users_controller.rb
# Called from the login form.
# Stores the user id in the session and redirects required URL or default homepage
def login
session[:user] = User.current = nil
session[:locale] = nil
User.current = nil
if request.post?
reset_and_save_session
user = User.try_to_login(params[:login]['login'].downcase, params[:login]['password'])
if user.nil?
#failed to authenticate, and/or to generate the account on the fly
......
def extlogin
if session[:user]
reset_and_save_session
user = User.find_by_id(session[:user])
login_user(user)
end
end
def reset_and_save_session
save_original_uri = {:original_uri => session[:original_uri]}
reset_session
session.merge!(save_original_uri) if save_original_uri
end
# Called from the logout link
# Clears the rails session and redirects to the login action
def logout
(2-2/4)