From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 28 Oct 2019 18:42:20 +0000 (+0000)
Subject: accounts: Generate random session ID in webapp
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b91a306f923d769c1092fe418778a87e4746b50;p=ipfire.org.git

accounts: Generate random session ID in webapp

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/backend/accounts.py b/src/backend/accounts.py
index 824194c2..3e6412f2 100644
--- a/src/backend/accounts.py
+++ b/src/backend/accounts.py
@@ -286,8 +286,10 @@ class Accounts(Object):
 	# Session stuff
 
 	def create_session(self, account, host):
-		res = self.db.get("INSERT INTO sessions(host, uid) VALUES(%s, %s) \
-			RETURNING session_id, time_expires", host, account.uid)
+		session_id = util.random_string(64)
+
+		res = self.db.get("INSERT INTO sessions(host, uid, session_id) VALUES(%s, %s, %s) \
+			RETURNING session_id, time_expires", host, account.uid, session_id)
 
 		# Session could not be created
 		if not res: