Ensure that updated session is sent to clients after external auth

While 162cd06 correctly identified that sending the cookie was only necessary after reading it or re-auth, it failed to notice that InstantiateNewSession is called elsewhere than AttemptPasswordAuthentication (notably AttemptExternalAuth), all of which require SendSessionCookie calls to function correctly. Ensure that the updated cookie value is always set after it is changed by InstantiateNewSession, as well as directly before page display (in case other callbacks change the session id by other means).
bestpractical · May 14, 2012 · 650e032 · 650e032
1 parent ddb3ab9
commit 650e032
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
@@ -540,6 +540,10 @@ sub ShowRequestedPage {
 
     my $m = $HTML::Mason::Commands::m;
 
+    # Ensure that the cookie that we send is up-to-date, in case the
+    # session-id has been modified in any way
+    SendSessionCookie();
+
     # precache all system level rights for the current user
     $HTML::Mason::Commands::session{CurrentUser}->PrincipalObj->HasRights( Object => RT->System );
 
@@ -691,7 +695,6 @@ sub AttemptPasswordAuthentication {
 
         InstantiateNewSession();
         $HTML::Mason::Commands::session{'CurrentUser'} = $user_obj;
-        SendSessionCookie();
 
         $m->callback( %$ARGS, CallbackName => 'SuccessfulLogin', CallbackPage => '/autohandler' );
 
@@ -746,6 +749,7 @@ sub LoadSessionFromCookie {
 sub InstantiateNewSession {
     tied(%HTML::Mason::Commands::session)->delete if tied(%HTML::Mason::Commands::session);
     tie %HTML::Mason::Commands::session, 'RT::Interface::Web::Session', undef;
+    SendSessionCookie();
 }
 
 sub SendSessionCookie {