From 32486966fdb9030be8bc0c5b5cf96a408daeacbf Mon Sep 17 00:00:00 2001
From: Joseph Magen <jmagen@redhat.com>
Date: Sun, 9 Mar 2014 16:55:38 +0200
Subject: [PATCH] fixes #4457 - Session fixation, new session IDs are not generated on login

---
 app/controllers/users_controller.rb |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 907000f..7a7ed21 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -62,9 +62,9 @@ class UsersController < ApplicationController
   # Called from the login form.
   # Stores the user id in the session and redirects required URL or default homepage
   def login
-    session[:user] = User.current = nil
-    session[:locale] = nil
+    User.current = nil
     if request.post?
+      reset_and_save_session
       user = User.try_to_login(params[:login]['login'].downcase, params[:login]['password'])
       if user.nil?
         #failed to authenticate, and/or to generate the account on the fly
@@ -85,11 +85,18 @@ class UsersController < ApplicationController
 
   def extlogin
     if session[:user]
+      reset_and_save_session
       user = User.find_by_id(session[:user])
       login_user(user)
     end
   end
 
+  def reset_and_save_session
+    save_original_uri = {:original_uri => session[:original_uri]}
+    reset_session
+    session.merge!(save_original_uri) if save_original_uri
+  end
+
   # Called from the logout link
   # Clears the rails session and redirects to the login action
   def logout
-- 
1.7.1