From: James Moger <james.moger@gitblit.com>
Date: Thu, 9 Feb 2012 13:33:16 +0000 (-0500)
Subject: Fixed session fixation vulnerability (issue 62)
X-Git-Tag: v0.9.0~103
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=e7883877a98dfcae3f75f1c1a562120d89aed22a;p=gitblit.git

Fixed session fixation vulnerability (issue 62)
---

diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index e1dcb400..2b64eaed 100644
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -4,6 +4,10 @@
 
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%) | [war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%) | [express](http://code.google.com/p/gitblit/downloads/detail?name=%EXPRESS%) | [fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%) | [manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%) | [api](http://code.google.com/p/gitblit/downloads/detail?name=%API%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*
 
+#### security
+
+- Fixed session fixation vulnerability where the session identifier was not reset during the login process (issue 62)
+
 #### changes
 
 - block pushes to a repository with a working copy (i.e. non-bare repository) (issue-49)
diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index 80bff167..ca940071 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -80,7 +80,10 @@ public abstract class BasePage extends WebPage {
 		// Login the user
 		if (user != null) {
 			// Set the user into the session
-			GitBlitWebSession.get().setUser(user);
+			GitBlitWebSession session = GitBlitWebSession.get();
+			// issue 62: fix session fixation vulnerability
+			session.replaceSession();
+			session.setUser(user);
 
 			// Set Cookie
 			WebResponse response = (WebResponse) getRequestCycle().getResponse();
diff --git a/src/com/gitblit/wicket/pages/RootPage.java b/src/com/gitblit/wicket/pages/RootPage.java
index cbf9cfe1..bad0140b 100644
--- a/src/com/gitblit/wicket/pages/RootPage.java
+++ b/src/com/gitblit/wicket/pages/RootPage.java
@@ -195,7 +195,10 @@ public abstract class RootPage extends BasePage {
 	private void loginUser(UserModel user) {
 		if (user != null) {
 			// Set the user into the session
-			GitBlitWebSession.get().setUser(user);
+			GitBlitWebSession session = GitBlitWebSession.get();
+			// issue 62: fix session fixation vulnerability
+			session.replaceSession();
+			session.setUser(user);
 
 			// Set Cookie
 			if (GitBlit.getBoolean(Keys.web.allowCookieAuthentication, false)) {