Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reset Session ID on login #18018

Merged
merged 10 commits into from
Dec 20, 2021
Merged

Reset Session ID on login #18018

merged 10 commits into from
Dec 20, 2021

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Dec 18, 2021
edited
Loading

When logging in the SessionID should be reset and the session cleaned up.

Also logs the user in on completion of linking account

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath zeripath added this to the 1.16.0 milestone Dec 18, 2021
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 18, 2021
@zeripath
Reset Session ID on login
a63ce34 
When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath

This comment has been minimized.

Sign in to view
@codecov-commenter
Copy link

codecov-commenter commented Dec 18, 2021
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (main@e4e4118). Click here to learn what that means.
The diff coverage is 12.96%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main   #18018   +/-   ##
=======================================
  Coverage        ?   45.17%           
=======================================
  Files           ?      824           
  Lines           ?    91436           
  Branches        ?        0           
=======================================
  Hits            ?    41305           
  Misses          ?    43536           
  Partials        ?     6595
Impacted Files Coverage Δ
routers/web/user/auth_openid.go 0.00% <0.00%> (ø)
services/auth/auth.go 27.11% <0.00%> (ø)
services/auth/source/oauth2/store.go 0.00% <0.00%> (ø)
routers/web/user/auth.go 11.14% <10.52%> (ø)
modules/session/store.go 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e4e4118...2f85e32. Read the comment docs.

@zeripath

This comment has been minimized.

Sign in to view
@zeripath
with new session.RegenerateID function
6c63eb0 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
update go-chi/session
d15a3e5 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
Ensure that session id is changed after oauth data is set and between…
aa93f00 
… account linking pages too

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
placate lint
2cbf150 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
Merge remote-tracking branch 'origin/main' into reset-session-id-on-l…
ff5b88d 
…ogin
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 20, 2021
@lunny
Copy link
Member

lunny commented Dec 20, 2021

I found if user enabled 2fa, the sessionid changed when password checked. But when second verify checked, session id will not changed.
Is that by design?

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 20, 2021
@lunny lunny merged commit bcc13f3 into go-gitea:main Dec 20, 2021
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 20, 2021
@zeripath
Reset Session ID on login (go-gitea#18018)
6b3ad24 
* Reset Session ID on login

When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* with new session.RegenerateID function

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update go-chi/session

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Ensure that session id is changed after oauth data is set and between account linking pages too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* placate lint

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Dec 20, 2021
Merged
zeripath added a commit that referenced this pull request Dec 20, 2021
@zeripath
Reset Session ID on login (#18018) (#18041)
76e1c13 
Backport #18018

When logging in the SessionID should be reset and the session cleaned up.

Also logs the user in on completion of linking account

Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 20, 2021
@zeripath
Update Changelog
b4267a3 
Add:

* Move POST /{username}/action/{action} to simply POST /{username} (go-gitea#18045) (go-gitea#18046)
* Fix delete u2f keys bug (go-gitea#18040) (go-gitea#18042)
* Reset Session ID on login (go-gitea#18018) (go-gitea#18041)
* Prevent off-by-one error on comments on newly appended lines (go-gitea#18029) (go-gitea#18035)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Dec 20, 2021
Merged
@zeripath zeripath added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Dec 22, 2021
@zeripath zeripath deleted the reset-session-id-on-login branch December 22, 2021 09:12
@zeripath zeripath added the backport/done All backports for this PR have been created label Dec 25, 2021
Chianina pushed a commit to Chianina/gitea that referenced this pull request Mar 28, 2022
@zeripath
Reset Session ID on login (go-gitea#18018)
11f7bdf 
* Reset Session ID on login

When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* with new session.RegenerateID function

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update go-chi/session

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Ensure that session id is changed after oauth data is set and between account linking pages too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* placate lint

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.16.0
Development

Successfully merging this pull request may close these issues.
6 participants
@zeripath @codecov-commenter @lunny @techknowlogick @wxiaoguang @GiteaBot