Skip to content

Reset Session ID on login (#18018) #18041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 20, 2021
Merged

Reset Session ID on login (#18018) #18041

merged 2 commits into from
Dec 20, 2021

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Dec 20, 2021
edited
Loading

Backport #18018

When logging in the SessionID should be reset and the session cleaned up.

Also logs the user in on completion of linking account

Signed-off-by: Andrew Thornton [email protected]

@zeripath
Reset Session ID on login (go-gitea#18018)
6b3ad24 
* Reset Session ID on login

When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <[email protected]>

* with new session.RegenerateID function

Signed-off-by: Andrew Thornton <[email protected]>

* update go-chi/session

Signed-off-by: Andrew Thornton <[email protected]>

* Ensure that session id is changed after oauth data is set and between account linking pages too

Signed-off-by: Andrew Thornton <[email protected]>

* placate lint

Signed-off-by: Andrew Thornton <[email protected]>

* as per review

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath added this to the 1.15.8 milestone Dec 20, 2021
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Dec 20, 2021
@6543
Copy link
Member

6543 commented Dec 20, 2021

please add it to the cangelog :)

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 20, 2021
@zeripath
Copy link
Contributor Author

make lgtm

@zeripath zeripath merged commit 76e1c13 into go-gitea:release/v1.15 Dec 20, 2021
@zeripath zeripath deleted the backport-18018-v1.15 branch December 20, 2021 20:06
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 20, 2021
@zeripath
Update Changelog
b4267a3 
Add:

* Move POST /{username}/action/{action} to simply POST /{username} (go-gitea#18045) (go-gitea#18046)
* Fix delete u2f keys bug (go-gitea#18040) (go-gitea#18042)
* Reset Session ID on login (go-gitea#18018) (go-gitea#18041)
* Prevent off-by-one error on comments on newly appended lines (go-gitea#18029) (go-gitea#18035)

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this pull request Dec 20, 2021
Merged
@zeripath zeripath added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Dec 22, 2021
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

@lafriks lafriks lafriks approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.15.8
Development

Successfully merging this pull request may close these issues.
5 participants
@zeripath @6543 @techknowlogick @lafriks @GiteaBot