Bug #4457 » 0003-fixes-4457-Session-fixation-new-session-IDs-are-not-.patch
| app/controllers/users_controller.rb | ||
|---|---|---|
|
# Called from the login form.
|
||
|
# Stores the user id in the session and redirects required URL or default homepage
|
||
|
def login
|
||
|
session[:user] = User.current = nil
|
||
|
session[:locale] = nil
|
||
|
User.current = nil
|
||
|
if request.post?
|
||
|
reset_and_save_session
|
||
|
user = User.try_to_login(params[:login]['login'].downcase, params[:login]['password'])
|
||
|
if user.nil?
|
||
|
#failed to authenticate, and/or to generate the account on the fly
|
||
| ... | ... | |
|
def extlogin
|
||
|
if session[:user]
|
||
|
reset_and_save_session
|
||
|
user = User.find_by_id(session[:user])
|
||
|
login_user(user)
|
||
|
end
|
||
|
end
|
||
|
def reset_and_save_session
|
||
|
save_items = {:original_uri => session[:original_uri],
|
||
|
:location_id => session[:location_id],
|
||
|
:organization_id => session[:organization_id]}
|
||
|
reset_session
|
||
|
session.merge!(save_items) if save_items
|
||
|
end
|
||
|
# Called from the logout link
|
||
|
# Clears the rails session and redirects to the login action
|
||
|
def logout
|
||