Do not cycle session id in ensure_account

Avoids session id changing on every request. session will still be cycled on login by the functions that directly handle login. ensure_account either just sets the request.account field to the match the already logged in user, or sets the account to be the anonymous user. Neither should trigger a session_id.
Uninett · Feb 23, 2024 · 062e746 · 062e746
1 parent e74a7c8
commit 062e746
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/python/nav/web/auth/utils.py b/python/nav/web/auth/utils.py
@@ -31,14 +31,15 @@
 ACCOUNT_ID_VAR = 'account_id'
 
 
-def set_account(request, account):
+def set_account(request, account, cycle_session_id=True):
     """Updates request with new account.
-    Cycles the session ID to avoid session fixation.
+    Cycles the session ID by default to avoid session fixation.
     """
     request.session[ACCOUNT_ID_VAR] = account.id
     request.account = account
     _logger.debug('Set active account to "%s"', account.login)
-    request.session.cycle_key()
+    if cycle_session_id:
+        request.session.cycle_key()
     request.session.save()
 
 
@@ -56,7 +57,8 @@ def ensure_account(request):
         # Assumes nobody has locked it..
         account = Account.objects.get(id=Account.DEFAULT_ACCOUNT)
 
-    set_account(request, account)
+    # Do not cycle to avoid session_id being changed on every request
+    set_account(request, account, cycle_session_id=False)
 
 
 def authorization_not_required(fullpath):