Skip to content

Commit

Permalink
Only cycle session id if account changed
Browse files Browse the repository at this point in the history 
Avoids session id changing on every request
  • Loading branch information
@stveit
stveit committed Feb 22, 2024
1 parent 65cdd77 commit 5bc5570
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions python/nav/web/auth/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,15 @@
ACCOUNT_ID_VAR = 'account_id'


def set_account(request, account):
def set_account(request, account, cycle_session_id=True):
"""Updates request with new account.
Cycles the session ID to avoid session fixation.
"""
request.session[ACCOUNT_ID_VAR] = account.id
request.account = account
_logger.debug('Set active account to "%s"', account.login)
request.session.cycle_key()
if cycle_session_id:
request.session.cycle_key()
request.session.save()


Expand All @@ -54,7 +55,10 @@ def ensure_account(request):
# Assumes nobody has locked it..
account = Account.objects.get(id=Account.DEFAULT_ACCOUNT)

set_account(request, account)
account_has_changed = account.id != session.get(ACCOUNT_ID_VAR)

# Only cycle session_id if account has changed
set_account(request, account, cycle_session_id=account_has_changed)


def authorization_not_required(fullpath):
Expand Down

0 comments on commit 5bc5570

Please sign in to comment.