Otherwise restoring the requesttoken would reopen and read the existing
session data and restore it instead of clearing
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Sessions are a locking operation until we write close them, so close
them early and reopen later in case we want to write to them
Signed-off-by: Julius Härtl <jus@bitgrid.net>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Sometimes when we force a session regeneration we want to update the
current token for this session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This is a hacky way to allow the use case of #1303.
What happens is
1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token
This is kind of hacky but I don't think it introduces new attack
vectors.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Julius Härtl
Côme Chilliet
John Molakvoæ (skjnldsv)
Roeland Jago Douma
Christoph Wurst
Morris Jobke
Victor Dubiniuk
Joas Schilling
Lukas Reschke
Christoph Wurst
Roeland Jago Douma