fix construction of cookie using user supplied input #12808 (#13029)

learningequality · Feb 11, 2025 · f1c785c · f1c785c
1 parent eb25f29
commit f1c785c
Showing 1 changed file with 6 additions and 11 deletions.
diff --git a/kolibri/core/auth/api.py b/kolibri/core/auth/api.py
@@ -1046,17 +1046,12 @@ def get_session_response(self, request):
 
         if isinstance(user, AnonymousUser):
             response = Response(session)
-            if not request.COOKIES.get("visitor_id"):
-                visitor_id = str(uuid4().hex)
-                response.set_cookie(
-                    "visitor_id", visitor_id, expires=visitor_cookie_expiry
-                )
-            else:
-                response.set_cookie(
-                    "visitor_id",
-                    request.COOKIES.get("visitor_id"),
-                    expires=visitor_cookie_expiry,
-                )
+            try:
+                visitor_id = request.COOKIES.get("visitor_id")
+                visitor_id = UUID(visitor_id, version=4).hex
+            except (ValueError, TypeError):
+                visitor_id = uuid4().hex
+            response.set_cookie("visitor_id", visitor_id, expires=visitor_cookie_expiry)
             return response
         # Set last activity on session to the current time to prevent session timeout
         # Only do this for logged in users, as anonymous users cannot get logged out!