Merge pull request #223 from CybercentreCanada/hotfix/session

Hotfix/session
CybercentreCanada · Jul 14, 2021 · 8611ec5 · 8611ec5
2 parents e52a3fb + fd2d689
commit 8611ec5
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/assemblyline_ui/api/base.py b/assemblyline_ui/api/base.py
@@ -60,6 +60,7 @@ def auto_auth_check(self):
                 except AuthenticationException:
                     msg = "Invalid user or APIKey"
                     LOGGER.warning(f"Authentication failure. (U:{uname} - IP:{ip}) [{msg}]")
+                    flsk_session.clear()
                     abort(401, msg)
                     return
 

diff --git a/assemblyline_ui/security/authenticator.py b/assemblyline_ui/security/authenticator.py
@@ -70,19 +70,22 @@ def get_logged_in_user(self):
 
         if not session_id:
             current_app.logger.debug('session_id cookie not found')
+            flsk_session.clear()
             abort(401, "Session not found")
 
         session = KV_SESSION.get(session_id)
 
         if not session:
             current_app.logger.debug(f'[{session_id}] session_id not found in redis')
+            flsk_session.clear()
             abort(401, "Session expired")
         else:
             cur_time = now()
             if session.get('expire_at', 0) < cur_time:
                 KV_SESSION.pop(session_id)
                 current_app.logger.debug(f'[{session_id}] session has expired '
                                          f'{session.get("expire_at", 0)} < {cur_time}')
+                flsk_session.clear()
                 abort(401, "Session expired")
             else:
                 session['expire_at'] = cur_time + session.get('duration', 3600)
@@ -91,12 +94,14 @@ def get_logged_in_user(self):
                 request.headers.get("X-Forwarded-For", request.remote_addr) != session.get('ip', None):
             current_app.logger.debug(f'[{session_id}] X-Forwarded-For does not match session IP '
                                      f'{request.headers.get("X-Forwarded-For", None)} != {session.get("ip", None)}')
+            flsk_session.clear()
             abort(401, "Invalid source IP for this session")
 
         if config.ui.validate_session_useragent and \
                 request.headers.get("User-Agent", None) != session.get('user_agent', None):
             current_app.logger.debug(f'[{session_id}] User-Agent does not match session user_agent '
                                      f'{request.headers.get("User-Agent", None)} != {session.get("user_agent", None)}')
+            flsk_session.clear()
             abort(401, "Invalid user agent for this session")
 
         KV_SESSION.set(session_id, session)

diff --git a/setup.py b/setup.py
@@ -42,7 +42,6 @@
         'python-socketio<5.0.0',
         'flask',
         'flask-socketio<5.0.0',
-        'greenlet',
         'gunicorn',
         'gevent',
         'gevent-websocket',