Sometimes when we force a session regeneration we want to update the
current token for this session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This is a hacky way to allow the use case of #1303.
What happens is
1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token
This is kind of hacky but I don't think it introduces new attack
vectors.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Christoph Wurst
Roeland Jago Douma
Morris Jobke
Victor Dubiniuk
Joas Schilling
Lukas Reschke
Christoph Wurst
Roeland Jago Douma