From 39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b Mon Sep 17 00:00:00 2001
From: Patrik Dufresne <info@patrikdufresne.com>
Date: Wed, 21 Sep 2022 10:31:38 -0400
Subject: [PATCH] Generate a new session on login and 2FA #220

---
 README.md                         | 6 ++++++
 rdiffweb/controller/page_login.py | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/README.md b/README.md
index a5b46a9b..8156d3f1 100644
--- a/README.md
+++ b/README.md
@@ -107,6 +107,12 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## 2.4.7 (2002-09-21)
+
+This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
+
+* Generate a new session on login and 2FA #220
+
 ## 2.4.6 (2022-09-20)
 
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
diff --git a/rdiffweb/controller/page_login.py b/rdiffweb/controller/page_login.py
index 4454cc76..6565aa15 100644
--- a/rdiffweb/controller/page_login.py
+++ b/rdiffweb/controller/page_login.py
@@ -69,6 +69,7 @@ def index(self, **kwargs):
             else:
                 if userobj:
                     cherrypy.session[SESSION_KEY] = userobj.username
+                    cherrypy.session.regenerate()
                     raise cherrypy.HTTPRedirect(form.redirect.data)
                 flash(_("Invalid username or password."))
 
@@ -89,4 +90,5 @@ class LogoutPage(Controller):
     @cherrypy.config(**{'tools.auth_form.on': False})
     def default(self):
         cherrypy.session[SESSION_KEY] = None
+        cherrypy.session.regenerate()
         raise cherrypy.HTTPRedirect('/')