SONAR-6880 Fix SSF-37

author: Fabrice Bellingard <fabrice.bellingard@sonarsource.com> 2015-10-14 11:51:56 +0200
committer: Fabrice Bellingard <fabrice.bellingard@sonarsource.com> 2015-10-14 15:23:34 +0200
commit: cf0128cceea80d2637dff20713d6de9182394242 (patch)
tree: 90574b01a4cf296262119cc48325e2c14c3ff0ae /server/sonar-web/src/main/webapp
parent: 2a443e6ce3e61d7d5ddbc899d3efe4a90ad02e58 (diff)
download: sonarqube-cf0128cceea80d2637dff20713d6de9182394242.tar.gz
sonarqube-cf0128cceea80d2637dff20713d6de9182394242.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
index cb94561ab1e..d16ad58994d 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -27,6 +27,9 @@ class SessionsController < ApplicationController
   def login
     return unless request.post?
 
+    # Needed to bypass session fixation vulnerability (https://jira.sonarsource.com/browse/SONAR-6880)
+    reset_session
+
     self.current_user = User.authenticate(params[:login], params[:password], servlet_request)
     if logged_in?
       if params[:remember_me] == '1'
author	Fabrice Bellingard <fabrice.bellingard@sonarsource.com>	2015-10-14 11:51:56 +0200
committer	Fabrice Bellingard <fabrice.bellingard@sonarsource.com>	2015-10-14 15:23:34 +0200
commit	cf0128cceea80d2637dff20713d6de9182394242 (patch)
tree	90574b01a4cf296262119cc48325e2c14c3ff0ae /server/sonar-web/src/main/webapp
parent	2a443e6ce3e61d7d5ddbc899d3efe4a90ad02e58 (diff)
download	sonarqube-cf0128cceea80d2637dff20713d6de9182394242.tar.gz sonarqube-cf0128cceea80d2637dff20713d6de9182394242.zip