1 files changed, 18 insertions, 1 deletions

diff --git a/app/controllers/concerns/impersonation.rb b/app/controllers/concerns/impersonation.rb
index a4f2c263eb4..539dd9ad69d 100644
--- a/app/controllers/concerns/impersonation.rb
+++ b/app/controllers/concerns/impersonation.rb
@@ -3,6 +3,12 @@
 module Impersonation
   include Gitlab::Utils::StrongMemoize
 
+  SESSION_KEYS_TO_DELETE = %w(
+    github_access_token gitea_access_token gitlab_access_token
+    bitbucket_token bitbucket_refresh_token bitbucket_server_personal_access_token
+    bulk_import_gitlab_access_token fogbugz_token
+  ).freeze
+
   def current_user
     user = super
 
@@ -14,7 +20,7 @@ module Impersonation
   protected
 
   def check_impersonation_availability
-    return unless session[:impersonator_id]
+    return unless impersonation_in_progress?
 
     unless Gitlab.config.gitlab.impersonation_enabled
       stop_impersonation
@@ -27,14 +33,25 @@ module Impersonation
 
     warden.set_user(impersonator, scope: :user)
     session[:impersonator_id] = nil
+    clear_access_token_session_keys!
 
     current_user
   end
 
+  def impersonation_in_progress?
+    session[:impersonator_id].present?
+  end
+
   def log_impersonation_event
     Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}")
   end
 
+  def clear_access_token_session_keys!
+    access_tokens_keys = session.keys & SESSION_KEYS_TO_DELETE
+
+    access_tokens_keys.each { |key| session.delete(key) }
+  end
+
   def impersonator
     strong_memoize(:impersonator) do
       User.find(session[:impersonator_id]) if session[:impersonator_id]