andrewmusselman opened a new issue, #733: URL: https://github.com/apache/tooling-trusted-releases/issues/733
**ASVS Reference:** 7.2.4 **Findings:** 7.2.4-01, 7.2.4-02 ### Description The OAuth authentication flow in `asfquart/generics.py` does not regenerate the session on login or re-authentication: 1. **On OAuth callback:** `session.write(oauth_data)` overwrites session data into the existing session structure without clearing or regenerating the session ID. This creates a session fixation risk. 2. **On re-authentication initiation:** When a user navigates to `/auth?login`, the existing session is not cleared before redirecting to the OAuth provider. Old session data can persist. The admin "browse-as" flow correctly calls `asfquart.session.clear()` before writing new session data, demonstrating the pattern that should be applied to OAuth as well. ### Affected Files - `src/asfquart/generics.py` — OAuth callback (lines ~62–83) and login initiation (lines ~40–53) - `src/asfquart/session.py` — `write()` function does not include session regeneration ### Recommendation In the OAuth callback, call `asfquart.session.clear()` and `quart.session.clear()` before writing the new session data. Similarly, clear the session before initiating a re-authentication redirect. Follow up on making `asfquart` read/write methods safe (@sbp should this be cross-referened to an Issue there?) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
