Skip re-authentication if we have a valid session

James Moger

2012-11-29 e5c7795dc9185272365ff340698c7d2f1e6f11ab

Skip re-authentication if we have a valid session

 src/com/gitblit/GitBlit.java

@@ -591,6 +591,8 @@
            if (user != null) {

                GitBlitWebSession session = GitBlitWebSession.get();

                session.authenticationType = AuthenticationType.COOKIE;

                logger.info(MessageFormat.format("{0} authenticated by cookie from {1}",

                        user.username, httpRequest.getRemoteAddr()));

                return user;

            }

        }


 src/com/gitblit/wicket/pages/BasePage.java

@@ -130,14 +130,18 @@
    }    



    private void login() {

        GitBlitWebSession session = GitBlitWebSession.get();

        if (session.isLoggedIn() && !session.isSessionInvalidated()) {

            // already have a session

            return;

        }

		
        // try to authenticate by servlet request

        HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest()).getHttpServletRequest();

        UserModel user = GitBlit.self().authenticate(httpRequest);



        // Login the user

        if (user != null) {

            // Set the user into the session

            GitBlitWebSession session = GitBlitWebSession.get();

            // issue 62: fix session fixation vulnerability

            session.replaceSession();

            session.setUser(user);