Do not clear CSRF token on logout (fix for #1303)
This is a hacky way to allow the use case of #1303. What happens is 1. User tries to login 2. PreLoginHook kicks in and figures out that the user need to change their LDAP password or whatever => redirects user 3. While loading the redirect some logic of ours kicks in and logouts the user (thus clearing the session). 4. We render the new page but now the session and the page disagree about the CSRF token This is kind of hacky but I don't think it introduces new attack vectors. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
af16416de5
commit
bb94b39745
1 changed files with 4 additions and 0 deletions
|
@ -129,7 +129,11 @@ class CryptoSessionData implements \ArrayAccess, ISession {
|
||||||
* Reset and recreate the session
|
* Reset and recreate the session
|
||||||
*/
|
*/
|
||||||
public function clear() {
|
public function clear() {
|
||||||
|
$requesttoken = $this->get('requesttoken');
|
||||||
$this->sessionValues = [];
|
$this->sessionValues = [];
|
||||||
|
if ($requesttoken !== null) {
|
||||||
|
$this->set('requesttoken', $requesttoken);
|
||||||
|
}
|
||||||
$this->isModified = true;
|
$this->isModified = true;
|
||||||
$this->session->clear();
|
$this->session->clear();
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue