From 32d0ee1cba55825d13b192c6d53d8bd507d76a6b Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 7 May 2019 16:06:24 +0100
Subject: [PATCH] auth: Wrap login and logout in a single transaction

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/web/auth.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/web/auth.py b/src/web/auth.py
index 14ae0d21..afea4288 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -20,8 +20,9 @@ class AuthenticationMixin(object):
 
 	def login(self, account):
 		# User has logged in, create a session
-		session_id, session_expires = self.backend.accounts.create_session(
-			account, self.request.host)
+		with self.db.transaction():
+			session_id, session_expires = self.backend.accounts.create_session(
+				account, self.request.host)
 
 		# Check if a new session was created
 		if not session_id:
@@ -36,7 +37,10 @@ class AuthenticationMixin(object):
 		if not session_id:
 			return
 
-		success = self.backend.accounts.destroy_session(session_id, self.request.host)
+		# Destroy session
+		with self.db.transaction():
+			success = self.backend.accounts.destroy_session(session_id, self.request.host)
+
 		if success:
 			self.clear_cookie("session_id")
 
-- 
2.47.3