Mercurial > libervia-web
annotate libervia/web/pages/login/logged/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | 7941444c1671 |
| children |
| rev | line source |
|---|---|
| 1216 | 1 #!/usr/bin/env python3 |
| 1239 | 2 |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
4 from libervia.web.server import session_iface |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
5 from libervia.backend.core.log import getLogger |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1102
diff
changeset
|
6 |
|
1145
29eb15062416
pages: set __name__ for imported pages
Goffi <goffi@goffi.org>
parents:
1124
diff
changeset
|
7 log = getLogger(__name__) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 |
|
1595
7941444c1671
pages: set `own_local_jid` to avoid confusion with `own_jid`:
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
9 """Libervia Web log-in page, with link to create an account""" |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 |
| 1216 | 11 template = "login/logged.html" |
|
1102
8b70c838ed14
login (logged): set guest_session and session_started template variables
Goffi <goffi@goffi.org>
parents:
994
diff
changeset
|
12 |
|
8b70c838ed14
login (logged): set guest_session and session_started template variables
Goffi <goffi@goffi.org>
parents:
994
diff
changeset
|
13 |
|
8b70c838ed14
login (logged): set guest_session and session_started template variables
Goffi <goffi@goffi.org>
parents:
994
diff
changeset
|
14 def prepare_render(self, request): |
|
8b70c838ed14
login (logged): set guest_session and session_started template variables
Goffi <goffi@goffi.org>
parents:
994
diff
changeset
|
15 template_data = request.template_data |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
16 session_data = self.host.get_session_data(request, session_iface.IWebSession) |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1102
diff
changeset
|
17 template_data["guest_session"] = session_data.guest |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1102
diff
changeset
|
18 template_data["session_started"] = session_data.started |