Refined urltokens and XSRF protection

3 files changed, 6 insertions, 3 deletions

diff --git a/modules/admin-full/luasrc/controller/admin/index.lua b/modules/admin-full/luasrc/controller/admin/index.lua
index c0322d3a2e..e2b812e8c3 100644
--- a/modules/admin-full/luasrc/controller/admin/index.lua
+++ b/modules/admin-full/luasrc/controller/admin/index.lua
@@ -53,8 +53,9 @@ function action_logout()
 	local sauth = require "luci.sauth"
 	if dsp.context.authsession then
 		sauth.kill(dsp.context.authsession)
+		dsp.context.urltoken.stok = nil
 	end
 
-	luci.http.header("Set-Cookie", "sysauth=; path=/")
+	luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url())
 	luci.http.redirect(luci.dispatcher.build_url())
 end
\ No newline at end of file
diff --git a/modules/admin-mini/luasrc/controller/mini/index.lua b/modules/admin-mini/luasrc/controller/mini/index.lua
index dad6ccfab3..acff55aabb 100644
--- a/modules/admin-mini/luasrc/controller/mini/index.lua
+++ b/modules/admin-mini/luasrc/controller/mini/index.lua
@@ -44,8 +44,9 @@ function action_logout()
 	local sauth = require "luci.sauth"
 	if dsp.context.authsession then
 		sauth.kill(dsp.context.authsession)
+		dsp.context.urltoken.stok = nil
 	end
 
-	luci.http.header("Set-Cookie", "sysauth=; path=/")
+	luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url())
 	luci.http.redirect(luci.dispatcher.build_url())
 end
\ No newline at end of file
diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua
index d83c26d455..e0aeb3bf04 100644
--- a/modules/rpc/luasrc/controller/rpc.lua
+++ b/modules/rpc/luasrc/controller/rpc.lua
@@ -25,7 +25,8 @@ function index()
 	local function authenticator(validator, accs)
 		local auth = luci.http.formvalue("auth", true)
 		if auth then
-			local user = luci.sauth.read(auth)
+			local sdat = luci.sauth.read(auth)
+			user = loadstring(sdat)().user
 			if user and luci.util.contains(accs, user) then
 				return user, auth
 			end