From 07dd14d3b5e5c98ab44e0f70fe375dd1764363d1 Mon Sep 17 00:00:00 2001
From: Daniel Jiang <jiangd@vmware.com>
Date: Thu, 19 Sep 2019 01:17:07 +0800
Subject: [PATCH] Generate new session ID after login

This commit mitigates the Session Fixation issue by making sure a new
session ID is generated each time user logs in to Harbor

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
---
 src/core/api/base.go         |  8 ++++++++
 src/core/controllers/base.go | 10 ++++++----
 src/core/controllers/oidc.go |  4 ++--
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/core/api/base.go b/src/core/api/base.go
index 195f7f9c8..30b7623f6 100644
--- a/src/core/api/base.go
+++ b/src/core/api/base.go
@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/goharbor/harbor/src/common/models"
 	"net/http"
 
 	"github.com/ghodss/yaml"
@@ -37,6 +38,7 @@ import (
 
 const (
 	yamlFileContentType = "application/x-yaml"
+	userSessionKey      = "user"
 )
 
 // the managers/controllers used globally
@@ -168,6 +170,12 @@ func (b *BaseController) WriteYamlData(object interface{}) {
 	_, _ = w.Write(yData)
 }
 
+// PopulateUserSession generates a new session ID and fill the user model in parm to the session
+func (b *BaseController) PopulateUserSession(u models.User) {
+	b.SessionRegenerateID()
+	b.SetSession(userSessionKey, u)
+}
+
 // Init related objects/configurations for the API controllers
 func Init() error {
 	registerHealthCheckers()
diff --git a/src/core/controllers/base.go b/src/core/controllers/base.go
index 6337973fb..714306a75 100644
--- a/src/core/controllers/base.go
+++ b/src/core/controllers/base.go
@@ -17,6 +17,7 @@ package controllers
 import (
 	"bytes"
 	"context"
+	"github.com/goharbor/harbor/src/core/api"
 	"html/template"
 	"net"
 	"net/http"
@@ -38,11 +39,9 @@ import (
 	"github.com/goharbor/harbor/src/core/filter"
 )
 
-const userKey = "user"
-
 // CommonController handles request from UI that doesn't expect a page, such as /SwitchLanguage /logout ...
 type CommonController struct {
-	beego.Controller
+	api.BaseController
 	i18n.Locale
 }
 
@@ -51,6 +50,9 @@ func (cc *CommonController) Render() error {
 	return nil
 }
 
+// Prepare overwrites the Prepare func in api.BaseController to ignore unnecessary steps
+func (cc *CommonController) Prepare() {}
+
 type messageDetail struct {
 	Hint string
 	URL  string
@@ -111,7 +113,7 @@ func (cc *CommonController) Login() {
 	if user == nil {
 		cc.CustomAbort(http.StatusUnauthorized, "")
 	}
-	cc.SetSession(userKey, *user)
+	cc.PopulateUserSession(*user)
 }
 
 // LogOut Habor UI
diff --git a/src/core/controllers/oidc.go b/src/core/controllers/oidc.go
index 3bc5d1e35..4068a6151 100644
--- a/src/core/controllers/oidc.go
+++ b/src/core/controllers/oidc.go
@@ -148,7 +148,7 @@ func (oc *OIDCController) Callback() {
 			oc.SendInternalServerError(err)
 			return
 		}
-		oc.SetSession(userKey, *u)
+		oc.PopulateUserSession(*u)
 		oc.Controller.Redirect("/", http.StatusFound)
 	}
 }
@@ -219,8 +219,8 @@ func (oc *OIDCController) Onboard() {
 	}
 
 	user.OIDCUserMeta = nil
-	oc.SetSession(userKey, user)
 	oc.DelSession(userInfoKey)
+	oc.PopulateUserSession(user)
 }
 
 func secretAndToken(tokenBytes []byte) (string, string, error) {