From: Felix Dörre <felix@dogcraft.de>
Date: Mon, 30 Jun 2014 01:01:50 +0000 (+0200)
Subject: Ensure new session ids on login.
X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=6f888ca8a1bbb6aa7669c02fc640077646de2ae8

Ensure new session ids on login.
---

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index d88b6983..acfc8f51 100644
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -37,8 +37,7 @@ public class LoginPage extends Page {
 	@Override
 	public boolean beforeTemplate(HttpServletRequest req,
 			HttpServletResponse resp) throws IOException {
-		HttpSession hs = req.getSession();
-		if (hs.getAttribute("loggedin") == null) {
+		if (req.getSession().getAttribute("loggedin") == null) {
 			X509Certificate[] cert = (X509Certificate[]) req
 					.getAttribute("javax.servlet.request.X509Certificate");
 			if (cert != null && cert[0] != null) {
@@ -49,7 +48,7 @@ public class LoginPage extends Page {
 			}
 		}
 
-		if (hs.getAttribute("loggedin") != null) {
+		if (req.getSession().getAttribute("loggedin") != null) {
 			String s = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
 			if (s != null) {
 				if (!s.startsWith("/")) {
@@ -79,6 +78,7 @@ public class LoginPage extends Page {
 			ResultSet rs = ps.executeQuery();
 			if (rs.next()) {
 				if (PasswordHash.verifyHash(pw, rs.getString(1))) {
+					req.getSession().invalidate();
 					HttpSession hs = req.getSession();
 					hs.setAttribute(LOGGEDIN, true);
 					hs.setAttribute(USER, new User(rs.getInt(2)));
@@ -105,6 +105,7 @@ public class LoginPage extends Page {
 			ps.setString(1, serial);
 			ResultSet rs = ps.executeQuery();
 			if (rs.next()) {
+				req.getSession().invalidate();
 				HttpSession hs = req.getSession();
 				hs.setAttribute(LOGGEDIN, true);
 				hs.setAttribute(USER, new User(rs.getInt(1)));