Skip re-authentication if we have a valid session

2 files changed, 8 insertions, 2 deletions

diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java
index 319f4436..870e22fb 100644
--- a/src/com/gitblit/GitBlit.java
+++ b/src/com/gitblit/GitBlit.java
@@ -591,6 +591,8 @@ public class GitBlit implements ServletContextListener {
 			if (user != null) {

 				GitBlitWebSession session = GitBlitWebSession.get();

 				session.authenticationType = AuthenticationType.COOKIE;

+				logger.info(MessageFormat.format("{0} authenticated by cookie from {1}",

+						user.username, httpRequest.getRemoteAddr()));

 				return user;

 			}

 		}

diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index 5721adf7..d1ee2710 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -130,14 +130,18 @@ public abstract class BasePage extends WebPage {
 	}	

 

 	private void login() {

+		GitBlitWebSession session = GitBlitWebSession.get();

+		if (session.isLoggedIn() && !session.isSessionInvalidated()) {

+			// already have a session

+			return;

+		}

+		

 		// try to authenticate by servlet request

 		HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest()).getHttpServletRequest();

 		UserModel user = GitBlit.self().authenticate(httpRequest);

 

 		// Login the user

 		if (user != null) {

-			// Set the user into the session

-			GitBlitWebSession session = GitBlitWebSession.get();

 			// issue 62: fix session fixation vulnerability

 			session.replaceSession();

 			session.setUser(user);