luci-base: improve login/logout handling
Redirect to the canonical url after login and redirect to an url without security token if the session expired. Also make sure that the login page is served with status code 403, not 200 to give ajax calls a chance to detect expired sessions. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich
parent
73b19f6382
commit
83d520ab07
1 changed files with 13 additions and 5 deletions
|
|
@ -128,10 +128,18 @@ function authenticator.htmlauth(validator, accs, default)
|
|||
return user
|
||||
end
|
||||
|
||||
require("luci.i18n")
|
||||
require("luci.template")
|
||||
context.path = {}
|
||||
luci.template.render("sysauth", {duser=default, fuser=user})
|
||||
if context.urltoken.stok then
|
||||
context.urltoken.stok = nil
|
||||
http.header("Set-Cookie", "sysauth=; path="..build_url())
|
||||
http.redirect(build_url())
|
||||
else
|
||||
require("luci.i18n")
|
||||
require("luci.template")
|
||||
context.path = {}
|
||||
http.status(403, "Forbidden")
|
||||
luci.template.render("sysauth", {duser=default, fuser=user})
|
||||
end
|
||||
|
||||
return false
|
||||
|
||||
end
|
||||
|
|
@ -340,7 +348,6 @@ function dispatch(request)
|
|||
|
||||
if not util.contains(accs, user) then
|
||||
if authen then
|
||||
ctx.urltoken.stok = nil
|
||||
local user, sess = authen(sys.user.checkpasswd, accs, def)
|
||||
if not user or not util.contains(accs, user) then
|
||||
return
|
||||
|
|
@ -364,6 +371,7 @@ function dispatch(request)
|
|||
|
||||
if sess then
|
||||
http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
|
||||
http.redirect(build_url(unpack(ctx.requestpath)))
|
||||
ctx.authsession = sess
|
||||
ctx.authuser = user
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue