From d330bf4ebacb5c871a48e99080943ac88e47aa2a Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 28 Jun 2022 22:50:28 +0200
Subject: [PATCH] middleware: set a variable value in the A2_OPENED_SESSION
 cookie

---
 src/authentic2/middleware.py | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/authentic2/middleware.py b/src/authentic2/middleware.py
index b8766f19..aa187aaa 100644
--- a/src/authentic2/middleware.py
+++ b/src/authentic2/middleware.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import time
+import uuid
 
 try:
     import threading
@@ -69,14 +70,15 @@ class OpenedSessionCookieMiddleware(MiddlewareMixin):
             domain = app_settings.A2_OPENED_SESSION_COOKIE_DOMAIN
 
         if enabled and hasattr(request, 'user') and request.user.is_authenticated:
-            response.set_cookie(
-                name,
-                value='1',
-                max_age=None,
-                domain=domain,
-                secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE,
-                samesite='Lax',
-            )
+            if name not in request.COOKIES:
+                response.set_cookie(
+                    name,
+                    value=uuid.uuid4().hex,
+                    max_age=None,
+                    domain=domain,
+                    secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE,
+                    samesite='Lax',
+                )
         elif app_settings.A2_OPENED_SESSION_COOKIE_NAME in request.COOKIES:
             response.delete_cookie(name, domain=domain)
         return response
-- 
2.35.1