From 07dd14d3b5e5c98ab44e0f70fe375dd1764363d1 Mon Sep 17 00:00:00 2001 From: Daniel Jiang Date: Thu, 19 Sep 2019 01:17:07 +0800 Subject: [PATCH] Generate new session ID after login This commit mitigates the Session Fixation issue by making sure a new session ID is generated each time user logs in to Harbor Signed-off-by: Daniel Jiang --- src/core/api/base.go | 8 ++++++++ src/core/controllers/base.go | 10 ++++++---- src/core/controllers/oidc.go | 4 ++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/src/core/api/base.go b/src/core/api/base.go index 195f7f9c8..30b7623f6 100644 --- a/src/core/api/base.go +++ b/src/core/api/base.go @@ -18,6 +18,7 @@ import ( "encoding/json" "errors" "fmt" + "github.com/goharbor/harbor/src/common/models" "net/http" "github.com/ghodss/yaml" @@ -37,6 +38,7 @@ import ( const ( yamlFileContentType = "application/x-yaml" + userSessionKey = "user" ) // the managers/controllers used globally @@ -168,6 +170,12 @@ func (b *BaseController) WriteYamlData(object interface{}) { _, _ = w.Write(yData) } +// PopulateUserSession generates a new session ID and fill the user model in parm to the session +func (b *BaseController) PopulateUserSession(u models.User) { + b.SessionRegenerateID() + b.SetSession(userSessionKey, u) +} + // Init related objects/configurations for the API controllers func Init() error { registerHealthCheckers() diff --git a/src/core/controllers/base.go b/src/core/controllers/base.go index 6337973fb..714306a75 100644 --- a/src/core/controllers/base.go +++ b/src/core/controllers/base.go @@ -17,6 +17,7 @@ package controllers import ( "bytes" "context" + "github.com/goharbor/harbor/src/core/api" "html/template" "net" "net/http" @@ -38,11 +39,9 @@ import ( "github.com/goharbor/harbor/src/core/filter" ) -const userKey = "user" - // CommonController handles request from UI that doesn't expect a page, such as /SwitchLanguage /logout ... type CommonController struct { - beego.Controller + api.BaseController i18n.Locale } @@ -51,6 +50,9 @@ func (cc *CommonController) Render() error { return nil } +// Prepare overwrites the Prepare func in api.BaseController to ignore unnecessary steps +func (cc *CommonController) Prepare() {} + type messageDetail struct { Hint string URL string @@ -111,7 +113,7 @@ func (cc *CommonController) Login() { if user == nil { cc.CustomAbort(http.StatusUnauthorized, "") } - cc.SetSession(userKey, *user) + cc.PopulateUserSession(*user) } // LogOut Habor UI diff --git a/src/core/controllers/oidc.go b/src/core/controllers/oidc.go index 3bc5d1e35..4068a6151 100644 --- a/src/core/controllers/oidc.go +++ b/src/core/controllers/oidc.go @@ -148,7 +148,7 @@ func (oc *OIDCController) Callback() { oc.SendInternalServerError(err) return } - oc.SetSession(userKey, *u) + oc.PopulateUserSession(*u) oc.Controller.Redirect("/", http.StatusFound) } } @@ -219,8 +219,8 @@ func (oc *OIDCController) Onboard() { } user.OIDCUserMeta = nil - oc.SetSession(userKey, user) oc.DelSession(userInfoKey) + oc.PopulateUserSession(user) } func secretAndToken(tokenBytes []byte) (string, string, error) {