Reset Session ID on login (#18018) (#18041)

Backport #18018 When logging in the SessionID should be reset and the session cleaned up. Also logs the user in on completion of linking account Signed-off-by: Andrew Thornton <art27@cantab.net>
2025-08-23 09:58:27 +00:00 · 2021-12-20 20:06:54 +00:00
parent 148a417774
commit 76e1c130fb
11 changed files with 148 additions and 31 deletions
--- a/routers/web/user/auth_openid.go
+++ b/routers/web/user/auth_openid.go
@@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/modules/hcaptcha"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/recaptcha"
+	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
@@ -231,6 +232,11 @@ func signInOpenIDVerify(ctx *context.Context) {
 		}
 	}

+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		ctx.ServerError("RegenerateSession", err)
+		return
+	}
+
 	if err := ctx.Session.Set("openid_verified_uri", id); err != nil {
 		log.Error("signInOpenIDVerify: Could not set openid_verified_uri in session: %v", err)
 	}