Regenerate session-ids to prevent session fixation

core/admin/mailu/ui/views/base.py

@@ -17,6 +17,7 @@ def login():
     if form.validate_on_submit():
         user = models.User.login(form.email.data, form.pw.data)
         if user:
+            flask.session.regenerate()
             flask_login.login_user(user)
             endpoint = flask.request.args.get('next', '.index')
             return flask.redirect(flask.url_for(endpoint)
@@ -30,6 +31,7 @@ def login():
 @access.authenticated
 def logout():
     flask_login.logout_user()
+    flask.session.destroy()
     return flask.redirect(flask.url_for('.index'))
 
 

core/admin/mailu/ui/views/users.py

@@ -119,6 +119,7 @@ def user_password(user_email):
         if form.pw.data != form.pw2.data:
             flask.flash('Passwords do not match', 'error')
         else:
+            flask.session.regenerate()
             user.set_password(form.pw.data)
             models.db.session.commit()
             flask.flash('Password updated for %s' % user)
@@ -186,6 +187,7 @@ def user_signup(domain_name=None):
         if domain.has_email(form.localpart.data):
             flask.flash('Email is already used', 'error')
         else:
+            flask.session.regenerate()
             user = models.User(domain=domain)
             form.populate_obj(user)
             user.set_password(form.pw.data)