Merge pull request #186 from joelbcastillo/regenerate-session

prevent session fixation attacks
CityOfNewYork · Jan 27, 2017 · 076257b · 076257b
2 parents 5644be7 + 95cea5e
commit 076257b
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/app/auth/views.py b/app/auth/views.py
@@ -73,6 +73,7 @@ def ldap_login():
 
             if authenticated:
                 login_user(user)
+                session.regenerate()  # KVSession.regenerate()
                 session['user_id'] = current_user.get_id()
 
                 return_to_url = request.form.get('return_to_url')

diff --git a/config.py b/config.py
@@ -17,7 +17,7 @@ class Config:
                          os.path.join(os.path.abspath(os.path.dirname(__file__)), 'logs/'))
 
     APP_TIMEZONE = os.environ.get('APP_TIMEZONE') or 'US/Eastern'
-    SESSION_COOKIE_SECURE = os.environ.get('SESSION_COOKIE_SECURE') or True
+    SESSION_COOKIE_SECURE = os.environ.get('SESSION_COOKIE_SECURE') == 'True'
 
     # Note: BASE_URL and VIEW_REQUEST_ENDPOINT used for the automatic status update job (jobs.py)
     BASE_URL = os.environ.get('BASE_URL')