Make sure session from session cookie matches psid

Author: grishka

src/main/java/smithereen/SmithereenApplication.java

@@ -235,9 +235,12 @@ public static void main(String[] args){
 			SessionInfo info=sessionInfo(request);
 			if(info!=null && info.account!=null){
 				info.account=UserStorage.getAccount(info.account.id);
+				String psid=request.cookie("psid");
 				if(info.account==null){
 					response.removeCookie("/", "psid");
 					request.session().invalidate();
+				}else if(!Objects.equals(psid, info.persistentSessionID)){
+					request.session().invalidate();
 				}else{
 					info.permissions=SessionStorage.getUserPermissions(info.account);
 
@@ -250,7 +253,7 @@ public static void main(String[] args){
 						info.ip=ip;
 						BackgroundTaskRunner.getInstance().submit(()->{
 							try{
-								SessionStorage.setLastActive(info.account.id, request.cookie("psid"), info.account.lastActive, ip, ua, uaHash);
+								SessionStorage.setLastActive(info.account.id, psid, info.account.lastActive, ip, ua, uaHash);
 							}catch(SQLException x){
 								LOG.warn("Error updating account session", x);
 							}

src/main/java/smithereen/model/SessionInfo.java

@@ -17,6 +17,7 @@ public class SessionInfo{
 	public UserPermissions permissions;
 	public long userAgentHash;
 	public InetAddress ip;
+	public String persistentSessionID;
 
 	public static class PageHistory{
 		public ArrayList<String> entries=new ArrayList<>();

src/main/java/smithereen/storage/SessionStorage.java

@@ -119,6 +119,7 @@ record SessionRow(int accountID, InetAddress ip, long uaHash){}
 			info.csrfToken=Utils.csrfTokenFromSessionID(sid);
 			info.ip=sr.ip;
 			info.userAgentHash=sr.uaHash;
+			info.persistentSessionID=psid;
 			if(info.account.prefs.locale==null){
 				Locale requestLocale=req.raw().getLocale();
 				if(requestLocale!=null){