From 650e03250271a39121eba428a41b1592d8342a79 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Mon, 14 May 2012 17:56:47 -0400 Subject: [PATCH] Ensure that updated session is sent to clients after external auth While 162cd06 correctly identified that sending the cookie was only necessary after reading it or re-auth, it failed to notice that InstantiateNewSession is called elsewhere than AttemptPasswordAuthentication (notably AttemptExternalAuth), all of which require SendSessionCookie calls to function correctly. Ensure that the updated cookie value is always set after it is changed by InstantiateNewSession, as well as directly before page display (in case other callbacks change the session id by other means). --- lib/RT/Interface/Web.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index d0542fe21a1..c8b258fbbeb 100644 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -540,6 +540,10 @@ sub ShowRequestedPage { my $m = $HTML::Mason::Commands::m; + # Ensure that the cookie that we send is up-to-date, in case the + # session-id has been modified in any way + SendSessionCookie(); + # precache all system level rights for the current user $HTML::Mason::Commands::session{CurrentUser}->PrincipalObj->HasRights( Object => RT->System ); @@ -691,7 +695,6 @@ sub AttemptPasswordAuthentication { InstantiateNewSession(); $HTML::Mason::Commands::session{'CurrentUser'} = $user_obj; - SendSessionCookie(); $m->callback( %$ARGS, CallbackName => 'SuccessfulLogin', CallbackPage => '/autohandler' ); @@ -746,6 +749,7 @@ sub LoadSessionFromCookie { sub InstantiateNewSession { tied(%HTML::Mason::Commands::session)->delete if tied(%HTML::Mason::Commands::session); tie %HTML::Mason::Commands::session, 'RT::Interface::Web::Session', undef; + SendSessionCookie(); } sub SendSessionCookie {