# HG changeset patch
# User Adam Chlipala <adam@chlipala.net>
# Date 1309729949 14400
# Node ID 72e942423f26ebafffc796c48dad1b4bf3707573
# Parent  c39c3f63854a839cc3902116fa75894a2597446c
Based on a security suggestion by Robin Green, start a new session after authentication at an OP and after submission of a signup form

diff -r c39c3f63854a -r 72e942423f26 src/ur/openidUser.ur
--- a/src/ur/openidUser.ur	Sun Jul 03 16:40:55 2011 -0400
+++ b/src/ur/openidUser.ur	Sun Jul 03 17:52:29 2011 -0400
@@ -121,6 +121,14 @@
                 clearCookie auth;
                 redirect M.afterLogout
 
+            fun newSession identO =
+                ses <- nextval sessionIds;
+                now <- now;
+                key <- rand;
+                dml (INSERT INTO session (Id, Key, Identifier, Expires)
+                     VALUES ({[ses]}, {[key]}, {[identO]}, {[addSeconds now M.sessionLifetime]}));
+                return {Session = ses, Key = key}
+
             fun signupDetails after =
                 let
                     fun finishSignup uid data =
@@ -150,6 +158,9 @@
                                         case cols of
                                             Failure s => return (Some s)
                                           | Success cols =>
+                                            dml (DELETE FROM session
+                                                 WHERE Id = {[ses.Session]});
+                                            ses <- newSession (Some ident);
                                             setCookie auth {Value = LoggedIn ({User = uid} ++ ses),
                                                             Expires = None,
                                                             Secure = M.secureCookies};
@@ -199,9 +210,12 @@
                             if invalid then
                                 error <xml>Invalid or expired session</xml>
                             else
-                                dml (UPDATE session
-                                     SET Identifier = {[Some ident]}
+                                dml (DELETE FROM session
                                      WHERE Id = {[signup.Session]});
+                                ses <- newSession (Some ident);
+                                setCookie auth {Value = SigningUp ses,
+                                                Expires = None,
+                                                Secure = M.secureCookies};
                                 signupDetails after
                       | Some (LoggedIn login) =>
                         if login.Session <> ses then
@@ -214,9 +228,12 @@
                             if invalid then
                                 error <xml>Invalid or expired session</xml>
                             else
-                                dml (UPDATE session
-                                     SET Identifier = {[Some ident]}
+                                dml (DELETE FROM session
                                      WHERE Id = {[login.Session]});
+                                ses <- newSession (Some ident);
+                                setCookie auth {Value = LoggedIn ({User = login.User} ++ ses),
+                                                Expires = None,
+                                                Secure = M.secureCookies};
                                 redirect (bless after)
                       | None => error <xml>Missing session cookie</xml>
 
@@ -249,14 +266,6 @@
                         redirect (bless after)
                   | None => error <xml>Missing session cookie</xml>
 
-            fun newSession () =
-                ses <- nextval sessionIds;
-                now <- now;
-                key <- rand;
-                dml (INSERT INTO session (Id, Key, Identifier, Expires)
-                     VALUES ({[ses]}, {[key]}, NULL, {[addSeconds now M.sessionLifetime]}));
-                return {Session = ses, Key = key}
-
             fun logon after r =
                 ident <- oneOrNoRowsE1 (SELECT (identity.Identifier)
                                         FROM identity
@@ -265,7 +274,7 @@
                 case ident of
                     None => error <xml>Username not found</xml>
                   | Some ident =>
-                    ses <- newSession ();
+                    ses <- newSession None;
                     setCookie auth {Value = LoggedIn (r ++ ses),
                                     Expires = None,
                                     Secure = M.secureCookies};
@@ -280,7 +289,7 @@
                         error <xml>Login with your identity provider failed: {[msg]}</xml>
 
             fun doSignup after r =
-                ses <- newSession ();
+                ses <- newSession None;
                 setCookie auth {Value = SigningUp ses,
                                 Expires = None,
                                 Secure = M.secureCookies};