Generate a new session on login and 2FA #220

ikus060 · Sep 21, 2022 · 39e7dcd · 39e7dcd
1 parent ac334dd
commit 39e7dcd
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -107,6 +107,12 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## 2.4.7 (2002-09-21)
+
+This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
+
+* Generate a new session on login and 2FA #220
+
 ## 2.4.6 (2022-09-20)
 
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.

diff --git a/rdiffweb/controller/page_login.py b/rdiffweb/controller/page_login.py
@@ -69,6 +69,7 @@ def index(self, **kwargs):
             else:
                 if userobj:
                     cherrypy.session[SESSION_KEY] = userobj.username
+                    cherrypy.session.regenerate()
                     raise cherrypy.HTTPRedirect(form.redirect.data)
                 flash(_("Invalid username or password."))
 
@@ -89,4 +90,5 @@ class LogoutPage(Controller):
     @cherrypy.config(**{'tools.auth_form.on': False})
     def default(self):
         cherrypy.session[SESSION_KEY] = None
+        cherrypy.session.regenerate()
         raise cherrypy.HTTPRedirect('/')