Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Avoid setting duplicate cookies

Browse source 
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich 2015-02-09 16:30:11 +01:00
parent ec90cd69ed
commit ec1a86977b
2 changed files with 27 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
modules/luci-base/luasrc/dispatcher.lua
View file

@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default)
if context.urltoken.stok then
context.urltoken.stok = nil
http.header("Set-Cookie", "sysauth=; path="..build_url())
local cookie = 'sysauth=%s; expires=%s; path=%s/' %{
http.getcookie('sysauth') or 'x',
'Thu, 01 Jan 1970 01:00:00 GMT',
build_url()
}
http.header("Set-Cookie", cookie)
http.redirect(build_url())
else
require("luci.i18n")
@ -329,13 +336,14 @@ function dispatch(request)
if not util.contains(accs, user) then
if authen then
local user, sess = authen(sys.user.checkpasswd, accs, def)
local token
if not user or not util.contains(accs, user) then
return
else
if not sess then
local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) })
if sdat then
local token = sys.uniqueid(16)
token = sys.uniqueid(16)
util.ubus("session", "set", {
ubus_rpc_session = sdat.ubus_rpc_session,
values = {
@ -345,15 +353,19 @@ function dispatch(request)
}
})
sess = sdat.ubus_rpc_session
ctx.urltoken.stok = token
end
end
if sess then
http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
http.redirect(build_url(unpack(ctx.requestpath)))
if sess and token then
http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{
sess, build_url()
})
ctx.urltoken.stok = token
ctx.authsession = sess
ctx.authuser = user
http.redirect(build_url(unpack(ctx.requestpath)))
end
end
else

14
modules/luci-mod-admin-full/luasrc/controller/admin/index.lua
View file

@ -28,13 +28,17 @@ end
function action_logout()
local dsp = require "luci.dispatcher"
local utl = require "luci.util"
if dsp.context.authsession then
utl.ubus("session", "destroy", {
ubus_rpc_session = dsp.context.authsession
})
local sid = dsp.context.authsession
if sid then
utl.ubus("session", "destroy", { ubus_rpc_session = sid })
dsp.context.urltoken.stok = nil
luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s/" %{
sid, 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url()
})
end
luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url())
luci.http.redirect(luci.dispatcher.build_url())
end