From 216d413c15b4573c6cfb3747360af63370e51210 Mon Sep 17 00:00:00 2001
From: Aaron Lindsay <aaron@aclindsay.com>
Date: Sat, 18 Nov 2017 20:45:35 -0500
Subject: [PATCH] Ensure we don't have duplicate session secrets

---
 internal/handlers/sessions.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/handlers/sessions.go b/internal/handlers/sessions.go
index 55e1f91..e6f5dab 100644
--- a/internal/handlers/sessions.go
+++ b/internal/handlers/sessions.go
@@ -81,6 +81,14 @@ func NewSession(tx *Tx, r *http.Request, userid int64) (*NewSessionWriter, error
 		return nil, err
 	}
 
+	existing, err := tx.SelectInt("SELECT count(*) from sessions where SessionSecret=?", session_secret)
+	if err != nil {
+		return nil, err
+	}
+	if existing > 0 {
+		return nil, fmt.Errorf("%d session(s) exist with the generated session_secret")
+	}
+
 	cookie := http.Cookie{
 		Name:     "moneygo-session",
 		Value:    session_secret,