Skip to content

Reset Session ID on login (#18018)#18041

Merged
zeripath merged 2 commits intogo-gitea:release/v1.15from
zeripath:backport-18018-v1.15
Dec 20, 2021
Merged

Reset Session ID on login (#18018)#18041
zeripath merged 2 commits intogo-gitea:release/v1.15from
zeripath:backport-18018-v1.15

Conversation

@zeripath
Copy link
Copy Markdown
Contributor

@zeripath zeripath commented Dec 20, 2021
edited
Loading

Backport #18018

When logging in the SessionID should be reset and the session cleaned up.

Also logs the user in on completion of linking account

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath
Reset Session ID on login (go-gitea#18018)
6b3ad24 
* Reset Session ID on login

When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* with new session.RegenerateID function

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update go-chi/session

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Ensure that session id is changed after oauth data is set and between account linking pages too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* placate lint

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added this to the 1.15.8 milestone Dec 20, 2021
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Dec 20, 2021
@6543
Copy link
Copy Markdown
Member

6543 commented Dec 20, 2021

please add it to the cangelog :)

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 20, 2021
@zeripath
Copy link
Copy Markdown
Contributor Author

zeripath commented Dec 20, 2021

make lgtm

@zeripath zeripath merged commit 76e1c13 into go-gitea:release/v1.15 Dec 20, 2021
@zeripath zeripath deleted the backport-18018-v1.15 branch December 20, 2021 20:06
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 20, 2021
@zeripath
Update Changelog
b4267a3 
Add:

* Move POST /{username}/action/{action} to simply POST /{username} (go-gitea#18045) (go-gitea#18046)
* Fix delete u2f keys bug (go-gitea#18040) (go-gitea#18042)
* Reset Session ID on login (go-gitea#18018) (go-gitea#18041)
* Prevent off-by-one error on comments on newly appended lines (go-gitea#18029) (go-gitea#18035)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Dec 20, 2021
Merged
@zeripath zeripath added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Dec 22, 2021
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

@lafriks lafriks lafriks approved these changes

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug

Projects

None yet

Milestone

1.15.8

Development

Successfully merging this pull request may close these issues.

5 participants

@zeripath @6543 @techknowlogick @lafriks @GiteaBot