From 8f0d358533b97f02ce59896b9414fe31e88682d7 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Thu, 15 Jul 2021 01:44:05 +0000
Subject: User sessions not reset after 2FA activation (#35417).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Felix Schäfer.


git-svn-id: http://svn.redmine.org/redmine/trunk@21069 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/twofa_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'app/controllers')

diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb
index 058388907..87f65e826 100644
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -47,6 +47,8 @@ class TwofaController < ApplicationController
 
   def activate
     if @twofa.confirm_pairing!(params[:twofa_code].to_s)
+      # The session token was destroyed by the twofa pairing, generate a new one
+      session[:tk] = @user.generate_session_token
       flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path)
       redirect_to my_account_path
     else
-- 
cgit v1.2.3