Commit 86a30ce7 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files

fix security issue that would allow to highjack an old session

parent 43a360c3
......@@ -11,6 +11,7 @@
import os
import sys
import uuid
import hashlib
import logging
from flask import Blueprint, Response, request, current_app, session
......@@ -37,6 +38,7 @@ def cache_key():
request.headers.get('X-Session-Tag', ''),
session.get('language', '')
key = hashlib.sha256(key).hexdigest()
return key
......@@ -402,12 +402,7 @@ def login():
if form.validate_on_submit():
# allow to switch to another backend
refresh = True
# prevent session to be reused by another user
if 'login' in session and session['login'] !=
session['login'] =
if 'tag_id' not in session:
session['tag_id'] = uuid.uuid4()
session['tag_id'] = uuid.uuid4()
session['language'] =
user = bui.uhandler.user(, refresh)
if user.is_active and user.login(
......@@ -433,10 +428,12 @@ def login():
def logout():
for key in ['authenticated', 'persistent']:
if key in session:
# cleanup the session at logout to avoid further reuse by another user
# we can keep the language since it is non critical imho
lang = session['language']
session['language'] = lang
return redirect(url_for('.home'))
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment