From ae401a975820b976d381fec3869eec87456153d1 Mon Sep 17 00:00:00 2001
From: Joseph Magen <jmagen@redhat.com>
Date: Sun, 9 Mar 2014 16:55:38 +0200
Subject: [PATCH] fixes #4457 - Session fixation, new session IDs are not generated on login

---
 app/controllers/users_controller.rb |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 907000f..82241d2 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -62,9 +62,9 @@ class UsersController < ApplicationController
   # Called from the login form.
   # Stores the user id in the session and redirects required URL or default homepage
   def login
-    session[:user] = User.current = nil
-    session[:locale] = nil
+    User.current = nil
     if request.post?
+      reset_and_save_session
       user = User.try_to_login(params[:login]['login'].downcase, params[:login]['password'])
       if user.nil?
         #failed to authenticate, and/or to generate the account on the fly
@@ -85,11 +85,20 @@ class UsersController < ApplicationController
 
   def extlogin
     if session[:user]
+      reset_and_save_session
       user = User.find_by_id(session[:user])
       login_user(user)
     end
   end
 
+  def reset_and_save_session
+    save_items = {:original_uri    => session[:original_uri],
+                  :location_id     => session[:location_id],
+                  :organization_id => session[:organization_id]}
+    reset_session
+    session.merge!(save_items) if save_items
+  end
+
   # Called from the logout link
   # Clears the rails session and redirects to the login action
   def logout
-- 
1.7.1