From fca4ebcd72dc7aabff6d4a53e47a1a149058f75f Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Fri, 5 Jul 2019 14:45:34 -0600
Subject: [PATCH 1/2] Overwrite the old session if the new creds are for a
 different user

Fixes https://github.com/vector-im/riot-web/issues/10272
---
 src/Lifecycle.js | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/Lifecycle.js b/src/Lifecycle.js
index e3c4d39242..140dffeb9f 100644
--- a/src/Lifecycle.js
+++ b/src/Lifecycle.js
@@ -348,15 +348,26 @@ export function setLoggedIn(credentials) {
  * new one in its place. This additionally starts all other react-sdk services
  * which use the new Matrix client.
  *
+ * If the credentials belong to a different user from the session already stored,
+ * the old session will be cleared automatically.
+ *
  * @param {MatrixClientCreds} credentials The credentials to use
  *
  * @returns {Promise} promise which resolves to the new MatrixClient once it has been started
  */
 export function hydrateSession(credentials) {
-    stopMatrixClient();
+    const oldUserId = MatrixClientPeg.get().getUserId();
+
+    stopMatrixClient(); // unsets MatrixClientPeg.get()
     localStorage.removeItem("mx_soft_logout");
     _isLoggingOut = false;
-    return _doSetLoggedIn(credentials, false);
+
+    const overwrite = credentials.userId !== oldUserId;
+    if (overwrite) {
+        console.warn("Rehydrating the user's session with a different user's - clearing all data");
+    }
+
+    return _doSetLoggedIn(credentials, overwrite);
 }
 
 /**

From 8ebc03706a9bd3272d45e043ff8bd0a3c1c0a73d Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Mon, 8 Jul 2019 15:35:34 -0600
Subject: [PATCH 2/2] Also clear data when the deviceId doesn't match

When the HS implementation doesn't respect the device_id parameter erroneously
---
 src/Lifecycle.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Lifecycle.js b/src/Lifecycle.js
index 140dffeb9f..fe7348e9c6 100644
--- a/src/Lifecycle.js
+++ b/src/Lifecycle.js
@@ -357,14 +357,15 @@ export function setLoggedIn(credentials) {
  */
 export function hydrateSession(credentials) {
     const oldUserId = MatrixClientPeg.get().getUserId();
+    const oldDeviceId = MatrixClientPeg.get().getDeviceId();
 
     stopMatrixClient(); // unsets MatrixClientPeg.get()
     localStorage.removeItem("mx_soft_logout");
     _isLoggingOut = false;
 
-    const overwrite = credentials.userId !== oldUserId;
+    const overwrite = credentials.userId !== oldUserId || credentials.deviceId !== oldDeviceId;
     if (overwrite) {
-        console.warn("Rehydrating the user's session with a different user's - clearing all data");
+        console.warn("Clearing all data: Old session belongs to a different user/device");
     }
 
     return _doSetLoggedIn(credentials, overwrite);