Fixed exposed password in session

The project password was set in clear text in the session cookie. The cookie payload is only base64 encoded so it must not be used to store private information. The password is simply replaced by a boolean.
2025-05-05 12:41:49 +02:00 · 2017-09-06 18:49:15 +02:00 · 2017-09-06 18:49:15 +02:00 · 3a4a1b7357
commit 3a4a1b7357
parent 6ccf86919e
2 changed files with 8 additions and 8 deletions
--- a/ihatemoney/tests/tests.py
+++ b/ihatemoney/tests/tests.py
@ -181,7 +181,7 @@ class BudgetTestCase(IhatemoneyTestCase):
            })

            # session is updated
-            self.assertEqual(session['raclette'], 'party')
+            self.assertTrue(session['raclette'])

            # project is created
            self.assertEqual(len(models.Project.query.all()), 1)
@ -373,7 +373,7 @@ class BudgetTestCase(IhatemoneyTestCase):

            self.assertNotIn("Authentication", resp.data.decode('utf-8'))
            self.assertIn('raclette', session)
-            self.assertEqual(session['raclette'], 'raclette')
+            self.assertTrue(session['raclette'])

            # logout should wipe the session out
            c.get("/exit")
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@ -105,7 +105,7 @@ def pull_project(endpoint, values):
                                      project_id=project_id))

        is_admin = session.get('is_admin')
-        if (project.id in session and session[project.id] == project.password) or is_admin:
+        if session.get(project.id) or is_admin:
            # add project into kwargs and call the original function
            g.project = project
        else:
@ -173,7 +173,7 @@ def authenticate(project_id=None):

    else:
        # if credentials are already in session, redirect
-        if project_id in session and project.password == session[project_id]:
+        if session.get(project_id):
            setattr(g, 'project', project)
            return redirect(url_for(".list_bills"))

@ -189,7 +189,7 @@ def authenticate(project_id=None):
                        session["projects"] = []
                    # add the project on the top of the list
                    session["projects"].insert(0, (project_id, project.name))
-                    session[project_id] = form.password.data
+                    session[project_id] = True
                    session.update()
                    setattr(g, 'project', project)
                    return redirect(url_for(".list_bills"))
@ -233,7 +233,7 @@ def create_project():
            db.session.commit()

            # create the session object (authenticate)
-            session[project.id] = project.password
+            session[project.id] = True
            session.update()

            # send reminder email
@ -290,8 +290,8 @@ def edit_project():
    if request.method == "POST":
        if edit_form.validate():
            project = edit_form.update(g.project)
+            db.session.add(project)
            db.session.commit()
-            session[project.id] = project.password

            return redirect(url_for(".list_bills"))

@ -359,7 +359,7 @@ def demo():
                          contact_email="demo@notmyidea.org")
        db.session.add(project)
        db.session.commit()
-    session[project.id] = project.password
+    session[project.id] = True
    return redirect(url_for(".list_bills", project_id=project.id))