diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2015-02-09 16:30:11 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2015-02-09 16:30:11 +0100 |
commit | ec1a86977b1dc5cfc1c24ab1d54205531404087b (patch) | |
tree | 27376bfcec7d3fda1e935c6b9bdb7921be15c8dc /modules | |
parent | ec90cd69ed80ea4dfe8a9d44a42b155470c47b6b (diff) |
Avoid setting duplicate cookies
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules')
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 24 | ||||
-rw-r--r-- | modules/luci-mod-admin-full/luasrc/controller/admin/index.lua | 14 |
2 files changed, 27 insertions, 11 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index f92af528e..8b8d1fa34 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default) if context.urltoken.stok then context.urltoken.stok = nil - http.header("Set-Cookie", "sysauth=; path="..build_url()) + + local cookie = 'sysauth=%s; expires=%s; path=%s/' %{ + http.getcookie('sysauth') or 'x', + 'Thu, 01 Jan 1970 01:00:00 GMT', + build_url() + } + + http.header("Set-Cookie", cookie) http.redirect(build_url()) else require("luci.i18n") @@ -329,13 +336,14 @@ function dispatch(request) if not util.contains(accs, user) then if authen then local user, sess = authen(sys.user.checkpasswd, accs, def) + local token if not user or not util.contains(accs, user) then return else if not sess then local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) }) if sdat then - local token = sys.uniqueid(16) + token = sys.uniqueid(16) util.ubus("session", "set", { ubus_rpc_session = sdat.ubus_rpc_session, values = { @@ -345,15 +353,19 @@ function dispatch(request) } }) sess = sdat.ubus_rpc_session - ctx.urltoken.stok = token end end - if sess then - http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url()) - http.redirect(build_url(unpack(ctx.requestpath))) + if sess and token then + http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{ + sess, build_url() + }) + + ctx.urltoken.stok = token ctx.authsession = sess ctx.authuser = user + + http.redirect(build_url(unpack(ctx.requestpath))) end end else diff --git a/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua b/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua index 74a3fd9ad..d00d546b6 100644 --- a/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua +++ b/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua @@ -28,13 +28,17 @@ end function action_logout() local dsp = require "luci.dispatcher" local utl = require "luci.util" - if dsp.context.authsession then - utl.ubus("session", "destroy", { - ubus_rpc_session = dsp.context.authsession - }) + local sid = dsp.context.authsession + + if sid then + utl.ubus("session", "destroy", { ubus_rpc_session = sid }) + dsp.context.urltoken.stok = nil + + luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s/" %{ + sid, 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url() + }) end - luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url()) luci.http.redirect(luci.dispatcher.build_url()) end |