From e4d462ad53597fd5410aa4e94a57bb15b92a3f13 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Feb 15 2017 06:13:37 +0000 Subject: Insure removal of session on identity change If we are changing identiy (different principal) insure we remove the session cookie stored on the rpc context so that we do not mistakenly connect with the previous identity credentials. https://fedorahosted.org/freeipa/ticket/6543 Signed-off-by: Simo Sorce Reviewed-By: Jan Cholasta --- diff --git a/ipalib/rpc.py b/ipalib/rpc.py index c8a67a1..31ed64e 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -903,6 +903,12 @@ class RPCClient(Connectible): try: rpc_uri = self.env[self.env_rpc_uri_key] principal = get_principal(ccache_name=ccache) + stored_principal = getattr(context, 'principal', None) + if principal != stored_principal: + try: + delattr(context, 'session_cookie') + except AttributeError: + pass setattr(context, 'principal', principal) # We have a session cookie, try using the session URI to see if it # is still valid