Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Avoid setting duplicate cookies

Browse source 
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
This commit is contained in:
Jo-Philipp Wich 2015-02-09 16:30:11 +01:00
parent ec90cd69ed
commit ec1a86977b
2 changed files with 27 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
modules/luci-base/luasrc/dispatcher.lua
View file

@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default)
if context.urltoken.stok then if context.urltoken.stok then
context.urltoken.stok = nil context.urltoken.stok = nil
http.header("Set-Cookie", "sysauth=; path="..build_url())
local cookie = 'sysauth=%s; expires=%s; path=%s/' %{
http.getcookie('sysauth') or 'x',
'Thu, 01 Jan 1970 01:00:00 GMT',
build_url()
}
http.header("Set-Cookie", cookie)
http.redirect(build_url()) http.redirect(build_url())
else else
require("luci.i18n") require("luci.i18n")
@ -329,13 +336,14 @@ function dispatch(request)
if not util.contains(accs, user) then if not util.contains(accs, user) then
if authen then if authen then
local user, sess = authen(sys.user.checkpasswd, accs, def) local user, sess = authen(sys.user.checkpasswd, accs, def)
local token
if not user or not util.contains(accs, user) then if not user or not util.contains(accs, user) then
return return
else else
if not sess then if not sess then
local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) }) local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) })
if sdat then if sdat then
local token = sys.uniqueid(16) token = sys.uniqueid(16)
util.ubus("session", "set", { util.ubus("session", "set", {
ubus_rpc_session = sdat.ubus_rpc_session, ubus_rpc_session = sdat.ubus_rpc_session,
values = { values = {
@ -345,15 +353,19 @@ function dispatch(request)
} }
}) })
sess = sdat.ubus_rpc_session sess = sdat.ubus_rpc_session
ctx.urltoken.stok = token
end end
end end
if sess then if sess and token then
http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url()) http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{
http.redirect(build_url(unpack(ctx.requestpath))) sess, build_url()
})
ctx.urltoken.stok = token
ctx.authsession = sess ctx.authsession = sess
ctx.authuser = user ctx.authuser = user
http.redirect(build_url(unpack(ctx.requestpath)))
end end
end end
else else

14
modules/luci-mod-admin-full/luasrc/controller/admin/index.lua
View file

@ -28,13 +28,17 @@ end
function action_logout() function action_logout()
local dsp = require "luci.dispatcher" local dsp = require "luci.dispatcher"
local utl = require "luci.util" local utl = require "luci.util"
if dsp.context.authsession then local sid = dsp.context.authsession
utl.ubus("session", "destroy", {
ubus_rpc_session = dsp.context.authsession if sid then
}) utl.ubus("session", "destroy", { ubus_rpc_session = sid })
dsp.context.urltoken.stok = nil dsp.context.urltoken.stok = nil
luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s/" %{
sid, 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url()
})
end end
luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url())
luci.http.redirect(luci.dispatcher.build_url()) luci.http.redirect(luci.dispatcher.build_url())
end end