Put request update on login in separate function

python/nav/web/auth/__init__.py

@@ -159,3 +159,13 @@ def logout(request, sudo=False):
         LogEntry.add_log_entry(account, 'log-out', '{actor} logged out', before=account)
     _logger.debug('logout: redirect to "/" after logout')
     return get_post_logout_redirect_url(request)
+
+
+def set_request_account(request, account):
+    """Updates request with new account.
+    Cycles the session ID to avoid session fixation.
+    This function is meant to be called during login.
+    """
+    request.session[ACCOUNT_ID_VAR] = account.id
+    request.session.cycle_key()
+    request.account = account

python/nav/web/auth/remote_user.py

@@ -23,6 +23,7 @@
 from nav.config import NAVConfigParser
 from nav.models.profiles import Account
 from nav.web.auth.utils import ACCOUNT_ID_VAR
+from nav.web.auth import set_request_account
 
 try:
     # Python 3.6+
@@ -122,9 +123,7 @@ def login(request):
         # Get or create an account from the REMOTE_USER http header
         account = authenticate(request)
         if account:
-            request.session[ACCOUNT_ID_VAR] = account.id
-            request.session.cycle_key()
-            request.account = account
+            set_request_account(request, account)
             return account
     return None
 

python/nav/web/webfront/views.py

@@ -232,9 +232,7 @@ def do_login(request):
                 )
 
                 try:
-                    request.session[ACCOUNT_ID_VAR] = account.id
-                    request.session.cycle_key()
-                    request.account = account
+                    auth.set_request_account(request, account)
                 except ldap.Error as error:
                     errors.append('Error while talking to LDAP:\n%s' % error)
                 else: