diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2015-01-26 17:31:21 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2015-01-26 17:31:21 +0100 |
commit | 83d520ab07c05bb637d9ec35da590814064e51f8 (patch) | |
tree | 109ba81b62ac1dc6b9ace5754846c13f2b362787 /modules/luci-base/luasrc/dispatcher.lua | |
parent | 73b19f63822d511028baa8e3e7463d4e0a3ff857 (diff) |
luci-base: improve login/logout handling
Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-base/luasrc/dispatcher.lua')
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 155d31b10f..0cb3e7020c 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -128,10 +128,18 @@ function authenticator.htmlauth(validator, accs, default) return user end - require("luci.i18n") - require("luci.template") - context.path = {} - luci.template.render("sysauth", {duser=default, fuser=user}) + if context.urltoken.stok then + context.urltoken.stok = nil + http.header("Set-Cookie", "sysauth=; path="..build_url()) + http.redirect(build_url()) + else + require("luci.i18n") + require("luci.template") + context.path = {} + http.status(403, "Forbidden") + luci.template.render("sysauth", {duser=default, fuser=user}) + end + return false end @@ -340,7 +348,6 @@ function dispatch(request) if not util.contains(accs, user) then if authen then - ctx.urltoken.stok = nil local user, sess = authen(sys.user.checkpasswd, accs, def) if not user or not util.contains(accs, user) then return @@ -364,6 +371,7 @@ function dispatch(request) if sess then http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url()) + http.redirect(build_url(unpack(ctx.requestpath))) ctx.authsession = sess ctx.authuser = user end |