diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2015-02-09 16:30:11 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2015-02-09 16:30:11 +0100 |
commit | ec1a86977b1dc5cfc1c24ab1d54205531404087b (patch) | |
tree | 27376bfcec7d3fda1e935c6b9bdb7921be15c8dc /modules/luci-base/luasrc | |
parent | ec90cd69ed80ea4dfe8a9d44a42b155470c47b6b (diff) |
Avoid setting duplicate cookies
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-base/luasrc')
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index f92af528e1..8b8d1fa349 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default) if context.urltoken.stok then context.urltoken.stok = nil - http.header("Set-Cookie", "sysauth=; path="..build_url()) + + local cookie = 'sysauth=%s; expires=%s; path=%s/' %{ + http.getcookie('sysauth') or 'x', + 'Thu, 01 Jan 1970 01:00:00 GMT', + build_url() + } + + http.header("Set-Cookie", cookie) http.redirect(build_url()) else require("luci.i18n") @@ -329,13 +336,14 @@ function dispatch(request) if not util.contains(accs, user) then if authen then local user, sess = authen(sys.user.checkpasswd, accs, def) + local token if not user or not util.contains(accs, user) then return else if not sess then local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) }) if sdat then - local token = sys.uniqueid(16) + token = sys.uniqueid(16) util.ubus("session", "set", { ubus_rpc_session = sdat.ubus_rpc_session, values = { @@ -345,15 +353,19 @@ function dispatch(request) } }) sess = sdat.ubus_rpc_session - ctx.urltoken.stok = token end end - if sess then - http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url()) - http.redirect(build_url(unpack(ctx.requestpath))) + if sess and token then + http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{ + sess, build_url() + }) + + ctx.urltoken.stok = token ctx.authsession = sess ctx.authuser = user + + http.redirect(build_url(unpack(ctx.requestpath))) end end else |