Mercurial > openid
diff src/ur/openidUser.ur @ 46:72e942423f26
Based on a security suggestion by Robin Green, start a new session after authentication at an OP and after submission of a signup form
author | Adam Chlipala <adam@chlipala.net> |
---|---|
date | Sun, 03 Jul 2011 17:52:29 -0400 |
parents | c39c3f63854a |
children | 9c83592de908 328a429dfedb |
line wrap: on
line diff
--- a/src/ur/openidUser.ur Sun Jul 03 16:40:55 2011 -0400 +++ b/src/ur/openidUser.ur Sun Jul 03 17:52:29 2011 -0400 @@ -121,6 +121,14 @@ clearCookie auth; redirect M.afterLogout + fun newSession identO = + ses <- nextval sessionIds; + now <- now; + key <- rand; + dml (INSERT INTO session (Id, Key, Identifier, Expires) + VALUES ({[ses]}, {[key]}, {[identO]}, {[addSeconds now M.sessionLifetime]})); + return {Session = ses, Key = key} + fun signupDetails after = let fun finishSignup uid data = @@ -150,6 +158,9 @@ case cols of Failure s => return (Some s) | Success cols => + dml (DELETE FROM session + WHERE Id = {[ses.Session]}); + ses <- newSession (Some ident); setCookie auth {Value = LoggedIn ({User = uid} ++ ses), Expires = None, Secure = M.secureCookies}; @@ -199,9 +210,12 @@ if invalid then error <xml>Invalid or expired session</xml> else - dml (UPDATE session - SET Identifier = {[Some ident]} + dml (DELETE FROM session WHERE Id = {[signup.Session]}); + ses <- newSession (Some ident); + setCookie auth {Value = SigningUp ses, + Expires = None, + Secure = M.secureCookies}; signupDetails after | Some (LoggedIn login) => if login.Session <> ses then @@ -214,9 +228,12 @@ if invalid then error <xml>Invalid or expired session</xml> else - dml (UPDATE session - SET Identifier = {[Some ident]} + dml (DELETE FROM session WHERE Id = {[login.Session]}); + ses <- newSession (Some ident); + setCookie auth {Value = LoggedIn ({User = login.User} ++ ses), + Expires = None, + Secure = M.secureCookies}; redirect (bless after) | None => error <xml>Missing session cookie</xml> @@ -249,14 +266,6 @@ redirect (bless after) | None => error <xml>Missing session cookie</xml> - fun newSession () = - ses <- nextval sessionIds; - now <- now; - key <- rand; - dml (INSERT INTO session (Id, Key, Identifier, Expires) - VALUES ({[ses]}, {[key]}, NULL, {[addSeconds now M.sessionLifetime]})); - return {Session = ses, Key = key} - fun logon after r = ident <- oneOrNoRowsE1 (SELECT (identity.Identifier) FROM identity @@ -265,7 +274,7 @@ case ident of None => error <xml>Username not found</xml> | Some ident => - ses <- newSession (); + ses <- newSession None; setCookie auth {Value = LoggedIn (r ++ ses), Expires = None, Secure = M.secureCookies}; @@ -280,7 +289,7 @@ error <xml>Login with your identity provider failed: {[msg]}</xml> fun doSignup after r = - ses <- newSession (); + ses <- newSession None; setCookie auth {Value = SigningUp ses, Expires = None, Secure = M.secureCookies};