Skip to content

Commit

Permalink
[SECURITY-442] Prevent session fixation attack
Browse files Browse the repository at this point in the history
  • Loading branch information
@recampbell
recampbell committed Apr 12, 2018
1 parent 2f95fae commit d8d673f
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/main/java/org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;

import java.io.IOException;
Expand Down Expand Up @@ -201,6 +202,11 @@ public void initialize(HttpRequest request) throws IOException {
// logs this user in.
UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken(info.getEmail(), "", authorities);

// prevent session fixation attack
Stapler.getCurrentRequest().getSession().invalidate();
Stapler.getCurrentRequest().getSession();

SecurityContextHolder.getContext().setAuthentication(token);
// update the user profile.
User u = User.get(token.getName());
Expand Down

0 comments on commit d8d673f

Please sign in to comment.