added session regeneration

This commit is contained in:
Gamosoft 2025-11-25 17:56:11 +01:00
parent 6b7febd418
commit 3459e4c9a1
1 changed files with 8 additions and 3 deletions

View File

@ -123,12 +123,13 @@ def safe_error_message(error: Exception, user_message: str = "An error occurred"
return user_message return user_message
# Session middleware for authentication # Session middleware for authentication
# Security: Session ID is regenerated after login to prevent session fixation attacks
app.add_middleware( app.add_middleware(
SessionMiddleware, SessionMiddleware,
secret_key=config.get('authentication', {}).get('secret_key', 'insecure_default_key_change_this'), secret_key=config.get('authentication', {}).get('secret_key', 'insecure_default_key_change_this'),
max_age=config.get('authentication', {}).get('session_max_age', 604800), # 7 days default max_age=config.get('authentication', {}).get('session_max_age', 604800), # 7 days default
same_site='lax', same_site='lax', # Prevents CSRF attacks
https_only=False # Set to True if using HTTPS https_only=False # Set to True if using HTTPS in production
) )
# Demo mode - Centralizes all demo-specific restrictions # Demo mode - Centralizes all demo-specific restrictions
@ -268,7 +269,11 @@ async def login(request: Request, password: str = Form(...)):
# Verify password # Verify password
if verify_password(password): if verify_password(password):
# Set session # Session regeneration: Clear old session to prevent session fixation attacks
# This forces the creation of a new session ID after successful authentication
request.session.clear()
# Set authenticated flag in the NEW session
request.session['authenticated'] = True request.session['authenticated'] = True
return RedirectResponse(url="/", status_code=303) return RedirectResponse(url="/", status_code=303)
else: else: