From a58370ab74aebca6871b1524a655f7bb5086e0a6 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 7 Aug 2012 19:11:56 +0000 Subject: Rework authentication system The validity of authentication tokens was determined by the mtime of respective authentication tokens on filesystem stored in $sessionpath. Talking about hardware without RTC or without a prior connection to a time server, date/time usually around 1970 - so is the mtime of the authentication token file in $sessionpath. When now configuring an internet connection via LuCI, the system might fetch the current date/time (e.g. via ntp) which invalidates the token, returns "403 Forbidden" and kicks the user out of the interface. This patch changes the authentication system to use time values based on the uptime of the machine - rather than values based upon gettimeofday() and {a|m}time values - and save them inside the token. That way can always determine the difference between login (last interaction respectively) and the current time, in- dependant of the system clock jumping backwards/forwards. Warning: This patch removes the clean() function and respective calls. This means, invalid tokens will NOT be determined and removed from filesystem automatically anymore. Before, every HTTP-call caused a scan for invalid tokens, which is quite expensive. Instead consider using a cron job deleting all stalled files periodically. Contributed by T-Labs, Deutsche Telekom Innovation Laboratories Signed-off-by: Mirko Vogt --- modules/rpc/luasrc/controller/rpc.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/rpc/luasrc/controller/rpc.lua') diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua index 6b091163f1..b989b59a31 100644 --- a/modules/rpc/luasrc/controller/rpc.lua +++ b/modules/rpc/luasrc/controller/rpc.lua @@ -27,7 +27,7 @@ function index() if auth then -- if authentication token was given local sdat = luci.sauth.read(auth) if sdat then -- if given token is valid - user = loadstring(sdat)().user + user = luci.sauth.decode(sdat).user if user and luci.util.contains(accs, user) then return user, auth end @@ -68,7 +68,7 @@ function rpc_auth() secret = sys.uniqueid(16) http.header("Set-Cookie", "sysauth=" .. sid.."; path=/") - sauth.write(sid, util.get_bytecode({ + sauth.write(sid, sauth.encode({ user=user, token=token, secret=secret -- cgit v1.2.3