summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base/luasrc
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2015-02-09 16:30:11 +0100
committerJo-Philipp Wich <jow@openwrt.org>2015-02-09 16:30:11 +0100
commitec1a86977b1dc5cfc1c24ab1d54205531404087b (patch)
tree27376bfcec7d3fda1e935c6b9bdb7921be15c8dc /modules/luci-base/luasrc
parentec90cd69ed80ea4dfe8a9d44a42b155470c47b6b (diff)
Avoid setting duplicate cookies
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-base/luasrc')
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua24
1 files changed, 18 insertions, 6 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index f92af528e1..8b8d1fa349 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default)
if context.urltoken.stok then
context.urltoken.stok = nil
- http.header("Set-Cookie", "sysauth=; path="..build_url())
+
+ local cookie = 'sysauth=%s; expires=%s; path=%s/' %{
+ http.getcookie('sysauth') or 'x',
+ 'Thu, 01 Jan 1970 01:00:00 GMT',
+ build_url()
+ }
+
+ http.header("Set-Cookie", cookie)
http.redirect(build_url())
else
require("luci.i18n")
@@ -329,13 +336,14 @@ function dispatch(request)
if not util.contains(accs, user) then
if authen then
local user, sess = authen(sys.user.checkpasswd, accs, def)
+ local token
if not user or not util.contains(accs, user) then
return
else
if not sess then
local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) })
if sdat then
- local token = sys.uniqueid(16)
+ token = sys.uniqueid(16)
util.ubus("session", "set", {
ubus_rpc_session = sdat.ubus_rpc_session,
values = {
@@ -345,15 +353,19 @@ function dispatch(request)
}
})
sess = sdat.ubus_rpc_session
- ctx.urltoken.stok = token
end
end
- if sess then
- http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
- http.redirect(build_url(unpack(ctx.requestpath)))
+ if sess and token then
+ http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{
+ sess, build_url()
+ })
+
+ ctx.urltoken.stok = token
ctx.authsession = sess
ctx.authuser = user
+
+ http.redirect(build_url(unpack(ctx.requestpath)))
end
end
else