Regenerate session-ids to prevent session fixation

3 years ago · a1d32568d6
parent d459c37432
commit a1d32568d6
2 changed files with 4 additions and 0 deletions
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@ -17,6 +17,7 @@ def login():
    if form.validate_on_submit():
        user = models.User.login(form.email.data, form.pw.data)
        if user:
+            flask.session.regenerate()
            flask_login.login_user(user)
            endpoint = flask.request.args.get('next', '.index')
            return flask.redirect(flask.url_for(endpoint)
@ -30,6 +31,7 @@ def login():
@access.authenticated
 def logout():
    flask_login.logout_user()
+    flask.session.destroy()
    return flask.redirect(flask.url_for('.index'))


--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@ -119,6 +119,7 @@ def user_password(user_email):
        if form.pw.data != form.pw2.data:
            flask.flash('Passwords do not match', 'error')
        else:
+            flask.session.regenerate()
            user.set_password(form.pw.data)
            models.db.session.commit()
            flask.flash('Password updated for %s' % user)
@ -186,6 +187,7 @@ def user_signup(domain_name=None):
        if domain.has_email(form.localpart.data):
            flask.flash('Email is already used', 'error')
        else:
+            flask.session.regenerate()
            user = models.User(domain=domain)
            form.populate_obj(user)
            user.set_password(form.pw.data)