Project

General

Profile

0003-fixes-4457-Session-fixation-new-session-IDs-are-not-.patch

Joseph Magen, 03/17/2014 05:05 PM

View differences:

app/controllers/users_controller.rb
62 62
  # Called from the login form.
63 63
  # Stores the user id in the session and redirects required URL or default homepage
64 64
  def login
65
    session[:user] = User.current = nil
66
    session[:locale] = nil
65
    User.current = nil
67 66
    if request.post?
67
      reset_and_save_session
68 68
      user = User.try_to_login(params[:login]['login'].downcase, params[:login]['password'])
69 69
      if user.nil?
70 70
        #failed to authenticate, and/or to generate the account on the fly
......
85 85

  
86 86
  def extlogin
87 87
    if session[:user]
88
      reset_and_save_session
88 89
      user = User.find_by_id(session[:user])
89 90
      login_user(user)
90 91
    end
91 92
  end
92 93

  
94
  def reset_and_save_session
95
    save_items = {:original_uri    => session[:original_uri],
96
                  :location_id     => session[:location_id],
97
                  :organization_id => session[:organization_id]}
98
    reset_session
99
    session.merge!(save_items) if save_items
100
  end
101

  
93 102
  # Called from the logout link
94 103
  # Clears the rails session and redirects to the login action
95 104
  def logout
96
-