luci-base: improve login/logout handling

Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

modules/luci-base/luasrc/dispatcher.lua

@@ -128,10 +128,18 @@ function authenticator.htmlauth(validator, accs, default)
 		return user
 	end
 
-	require("luci.i18n")
+	if context.urltoken.stok then
-	require("luci.template")
+		context.urltoken.stok = nil
-	context.path = {}
+		http.header("Set-Cookie", "sysauth=; path="..build_url())
-	luci.template.render("sysauth", {duser=default, fuser=user})
+		http.redirect(build_url())
+	else
+		require("luci.i18n")
+		require("luci.template")
+		context.path = {}
+		http.status(403, "Forbidden")
+		luci.template.render("sysauth", {duser=default, fuser=user})
+	end
+
 	return false
 
 end
@@ -340,7 +348,6 @@ function dispatch(request)
 
 		if not util.contains(accs, user) then
 			if authen then
-				ctx.urltoken.stok = nil
 				local user, sess = authen(sys.user.checkpasswd, accs, def)
 				if not user or not util.contains(accs, user) then
 					return
@@ -364,6 +371,7 @@ function dispatch(request)
 
 					if sess then
 						http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
+						http.redirect(build_url(unpack(ctx.requestpath)))
 						ctx.authsession = sess
 						ctx.authuser = user
 					end