Ensure new session ids on login.

author Felix Dörre <felix@dogcraft.de>

Mon, 30 Jun 2014 01:01:50 +0000 (03:01 +0200)

committer Felix Dörre <felix@dogcraft.de>

Mon, 30 Jun 2014 01:01:50 +0000 (03:01 +0200)
author Felix Dörre <felix@dogcraft.de>
Mon, 30 Jun 2014 01:01:50 +0000 (03:01 +0200)
committer Felix Dörre <felix@dogcraft.de>
Mon, 30 Jun 2014 01:01:50 +0000 (03:01 +0200)
diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java

index d88b6983b23611eefda46801db4a6dd6202b2790..acfc8f51ed310153e9f1d041402167599d91e35d 100644 (file)
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -37,8 +37,7 @@ public class LoginPage extends Page {
         @Override
         public boolean beforeTemplate(HttpServletRequest req,
                         HttpServletResponse resp) throws IOException {
-               HttpSession hs = req.getSession();
-               if (hs.getAttribute("loggedin") == null) {
+               if (req.getSession().getAttribute("loggedin") == null) {
                         X509Certificate[] cert = (X509Certificate[]) req
                                         .getAttribute("javax.servlet.request.X509Certificate");
                         if (cert != null && cert[0] != null) {
@@ -49,7 +48,7 @@ public class LoginPage extends Page {
                         }
                 }
  
-               if (hs.getAttribute("loggedin") != null) {
+               if (req.getSession().getAttribute("loggedin") != null) {
                         String s = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
                         if (s != null) {
                                 if (!s.startsWith("/")) {
@@ -79,6 +78,7 @@ public class LoginPage extends Page {
                         ResultSet rs = ps.executeQuery();
                         if (rs.next()) {
                                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
+                                       req.getSession().invalidate();
                                         HttpSession hs = req.getSession();
                                         hs.setAttribute(LOGGEDIN, true);
                                         hs.setAttribute(USER, new User(rs.getInt(2)));
@@ -105,6 +105,7 @@ public class LoginPage extends Page {
                         ps.setString(1, serial);
                         ResultSet rs = ps.executeQuery();
                         if (rs.next()) {
+                               req.getSession().invalidate();
                                 HttpSession hs = req.getSession();
                                 hs.setAttribute(LOGGEDIN, true);
                                 hs.setAttribute(USER, new User(rs.getInt(1)));
author	Felix Dörre <felix@dogcraft.de>
	Mon, 30 Jun 2014 01:01:50 +0000 (03:01 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Mon, 30 Jun 2014 01:01:50 +0000 (03:01 +0200)