User sessions not reset after 2FA activation (#35417).

Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@21069 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2021-07-15 01:44:05 +00:00 · 2021-07-15 01:44:05 +00:00 · 8f0d358533
commit 8f0d358533
parent 9fcf5af844
2 changed files with 3 additions and 1 deletions
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@ -47,6 +47,8 @@ class TwofaController < ApplicationController

  def activate
    if @twofa.confirm_pairing!(params[:twofa_code].to_s)
+      # The session token was destroyed by the twofa pairing, generate a new one
+      session[:tk] = @user.generate_session_token
      flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path)
      redirect_to my_account_path
    else
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -919,7 +919,7 @@ class User < Principal
  # This helps to keep the account secure in case the associated email account
  # was compromised.
  def destroy_tokens
-    if saved_change_to_hashed_password? || (saved_change_to_status? && !active?)
+    if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) || (saved_change_to_twofa_scheme? && twofa_scheme.present?)
      tokens = ['recovery', 'autologin', 'session']
      Token.where(:user_id => id, :action => tokens).delete_all
    end