From 90c2b6ca0cf0fed61d83a5a607fd714cd66b39b9 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Fri, 20 Mar 2020 15:56:01 -0400
Subject: [PATCH] Only clear the session once the final request comes through
 without an auth flow.

---
 synapse/handlers/auth.py | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index d582b9571b03..790b3c566177 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -343,8 +343,11 @@ def check_auth(
                     list(clientdict),
                 )
 
-                # Blow away the session so it can not be re-used.
-                self._invalidate_session(session["id"])
+                # If the authentication flow is complete and this is the
+                # subsequent request, mark this session as invalid, so it cannot
+                # be re-used.
+                if "type" not in authdict:
+                    self._remove_session(session["id"])
 
                 return creds, clientdict, session["id"]
 
@@ -518,13 +521,9 @@ def _get_session_info(self, session_id: Optional[str]) -> dict:
 
         return self.sessions[session_id]
 
-    def _invalidate_session(self, session_id) -> None:
-        """Invalidate session information for session ID"""
-        session = self.sessions.get(session_id, None)
-        if session and "ui_auth" in session:
-            # Set the items in the ui_auth session to sentinel values that can
-            # never be equaled.
-            session["ui_auth"] = object()
+    def _remove_session(self, session_id) -> None:
+        """Remove a session (if it exists)."""
+        self.sessions.pop(session_id, None)
 
     @defer.inlineCallbacks
     def get_access_token_for_user_id(