Skip to content

fix: scope ClearNonCurrentSessions to current user only #21331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
harshinsecurity wants to merge 1 commit into
base: develop
Choose a base branch
from
+12 −6
Open

fix: scope ClearNonCurrentSessions to current user only #21331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions core/sessions/ldapauth/ldap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,9 +456,11 @@ func (l *ldapAuthenticator) CreateSession(ctx context.Context, sr sessions.Sessi
return session.ID, nil
}

// ClearNonCurrentSessions removes all ldap_sessions but the id passed in.
// ClearNonCurrentSessions removes all ldap_sessions for the user owning the
// given session, except the session itself. It uses a subquery so that only
// the current user's sessions are affected rather than every session in the table.
func (l *ldapAuthenticator) ClearNonCurrentSessions(ctx context.Context, sessionID string) error {
_, err := l.ds.ExecContext(ctx, "DELETE FROM ldap_sessions where id != $1", sessionID)
_, err := l.ds.ExecContext(ctx, "DELETE FROM ldap_sessions WHERE id != $1 AND user_email = (SELECT user_email FROM ldap_sessions WHERE id = $1)", sessionID)
return err
}

Expand Down
6 changes: 4 additions & 2 deletions core/sessions/localauth/orm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,9 +240,11 @@ func constantTimeEmailCompare(left, right string) bool {
return subtle.ConstantTimeCompare(leftBytes, rightBytes) == 1
}

// ClearNonCurrentSessions removes all sessions but the id passed in.
// ClearNonCurrentSessions removes all sessions for the user owning the given
// session, except the session itself. It uses a subquery so that only the
// current user's sessions are affected rather than every session in the table.
func (o *orm) ClearNonCurrentSessions(ctx context.Context, sessionID string) error {
_, err := o.ds.ExecContext(ctx, "DELETE FROM sessions where id != $1", sessionID)
_, err := o.ds.ExecContext(ctx, "DELETE FROM sessions WHERE id != $1 AND email = (SELECT email FROM sessions WHERE id = $1)", sessionID)
return err
}

Expand Down
6 changes: 4 additions & 2 deletions core/sessions/oidcauth/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,9 +438,11 @@ func (oi *oidcAuthenticator) CreateSession(ctx context.Context, sr clsessions.Se
return session.ID, nil
}

// ClearNonCurrentSessions removes all oicd_sessions but the id passed in.
// ClearNonCurrentSessions removes all oidc_sessions for the user owning the
// given session, except the session itself. It uses a subquery so that only
// the current user's sessions are affected rather than every session in the table.
func (oi *oidcAuthenticator) ClearNonCurrentSessions(ctx context.Context, sessionID string) error {
_, err := oi.ds.ExecContext(ctx, "DELETE FROM oidc_sessions where id != $1", sessionID)
_, err := oi.ds.ExecContext(ctx, "DELETE FROM oidc_sessions WHERE id != $1 AND user_email = (SELECT user_email FROM oidc_sessions WHERE id = $1)", sessionID)
return err
}

Expand Down