From cf0128cceea80d2637dff20713d6de9182394242 Mon Sep 17 00:00:00 2001
From: Fabrice Bellingard <fabrice.bellingard@sonarsource.com>
Date: Wed, 14 Oct 2015 11:51:56 +0200
Subject: SONAR-6880 Fix SSF-37

---
 .../src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb     | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'server/sonar-web/src/main/webapp')

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
index cb94561ab1e..d16ad58994d 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -27,6 +27,9 @@ class SessionsController < ApplicationController
   def login
     return unless request.post?
 
+    # Needed to bypass session fixation vulnerability (https://jira.sonarsource.com/browse/SONAR-6880)
+    reset_session
+
     self.current_user = User.authenticate(params[:login], params[:password], servlet_request)
     if logged_in?
       if params[:remember_me] == '1'
-- 
cgit v1.2.3