Skip to content

fix: renew session on user login to prevent session fixation#300

Open
allamiro wants to merge 1 commit into
lixmal:masterfrom
allamiro:fix/session-renew
Open

fix: renew session on user login to prevent session fixation#300
allamiro wants to merge 1 commit into
lixmal:masterfrom
allamiro:fix/session-renew

Conversation

@allamiro

@allamiro allamiro commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Fixes #277.

Problem

set_user_session stored the authenticated user in the pre-login session without rotating it — standard session-fixation hygiene (actix-session provides Session::renew() exactly for privilege changes).

Change

session.renew() is called at the start of set_user_session, so both the mask login path (/user_login) and the OIDC callback path get a fresh session key on successful authentication.

Testing

cargo test: 9/9 pass in a rust:1.83 container.


Summary by cubic

Rotate the session on authentication to prevent session fixation. set_user_session now calls Session::renew() (from actix-session) before storing the user, so both /user_login and the OIDC callback issue a fresh session ID.

Written for commit 36a056d. Summary will update on new commits.

Review in cubic

actix-session recommends rotating the session on privilege changes.
set_user_session now calls session.renew() before storing the user
and csrf token.
@allamiro allamiro force-pushed the fix/session-renew branch from 36a056d to faf401b Compare June 13, 2026 00:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Session is not renewed on login (session fixation hygiene)

1 participant