Regenerate the sessionID after login.

This is to prevent attacks where someone starts a session on a public computer, notes the session ID, then when another user logs in (with the same sessionID), the first user is able to hijack the session. This way each login results in a new session ID, so anyone snooping the old ID is out of luck.
ufront · Jul 21, 2015 · 9e4b082 · 9e4b082
1 parent de3d84e
commit 9e4b082
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/ufront/auth/EasyAuth.hx b/src/ufront/auth/EasyAuth.hx
@@ -102,6 +102,7 @@ using tink.CoreApi;
 			if ( u!=null ) {
 				_currentUser = u;
 				context.session.set(sessionVariableName, (u!=null) ? u.id : null);
+				context.session.regenerateID();
 			}
 			else throw 'Could not set the current user to $user, because that user is not a ufront.auth.model.User';
 		}
@@ -133,6 +134,7 @@ using tink.CoreApi;
 				switch ( r ) {
 					case Success(user):
 						context.session.set( sessionVariableName, user.id );
+						context.session.regenerateID();
 					case Failure(_):
 				}
 			});
@@ -147,6 +149,7 @@ using tink.CoreApi;
 			switch result {
 				case Success(user):
 					context.session.set( sessionVariableName, user.id );
+					context.session.regenerateID();
 				case Failure(_):
 			}