From a1d32568d6aceec8b0a2a0fd0514714585020edc Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 22 Feb 2021 20:43:52 +0100
Subject: [PATCH] Regenerate session-ids to prevent session fixation

---
 core/admin/mailu/ui/views/base.py  | 2 ++
 core/admin/mailu/ui/views/users.py | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index 7501a883..625c02e1 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -17,6 +17,7 @@ def login():
     if form.validate_on_submit():
         user = models.User.login(form.email.data, form.pw.data)
         if user:
+            flask.session.regenerate()
             flask_login.login_user(user)
             endpoint = flask.request.args.get('next', '.index')
             return flask.redirect(flask.url_for(endpoint)
@@ -30,6 +31,7 @@ def login():
 @access.authenticated
 def logout():
     flask_login.logout_user()
+    flask.session.destroy()
     return flask.redirect(flask.url_for('.index'))
 
 
diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py
index 8830ff5b..2784fe53 100644
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@@ -119,6 +119,7 @@ def user_password(user_email):
         if form.pw.data != form.pw2.data:
             flask.flash('Passwords do not match', 'error')
         else:
+            flask.session.regenerate()
             user.set_password(form.pw.data)
             models.db.session.commit()
             flask.flash('Password updated for %s' % user)
@@ -186,6 +187,7 @@ def user_signup(domain_name=None):
         if domain.has_email(form.localpart.data):
             flask.flash('Email is already used', 'error')
         else:
+            flask.session.regenerate()
             user = models.User(domain=domain)
             form.populate_obj(user)
             user.set_password(form.pw.data)