projects / project / luci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 73b19f6)
luci-base: improve login/logout handling
authorJo-Philipp Wich <jow@openwrt.org>
Mon, 26 Jan 2015 16:31:21 +0000 (17:31 +0100)
committerJo-Philipp Wich <jow@openwrt.org>
Mon, 26 Jan 2015 16:31:21 +0000 (17:31 +0100)
Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
modules/luci-base/luasrc/dispatcher.lua patch | blob | history

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 155d31b10f6ac1d769cafed724479e078f6ef7ff..0cb3e7020cb4e8addb753093f76713fc08bf8e55 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -128,10 +128,18 @@ function authenticator.htmlauth(validator, accs, default)
                return user
        end
 
-       require("luci.i18n")
-       require("luci.template")
-       context.path = {}
-       luci.template.render("sysauth", {duser=default, fuser=user})
+       if context.urltoken.stok then
+               context.urltoken.stok = nil
+               http.header("Set-Cookie", "sysauth=; path="..build_url())
+               http.redirect(build_url())
+       else
+               require("luci.i18n")
+               require("luci.template")
+               context.path = {}
+               http.status(403, "Forbidden")
+               luci.template.render("sysauth", {duser=default, fuser=user})
+       end
+
        return false
 
 end
@@ -340,7 +348,6 @@ function dispatch(request)
 
                if not util.contains(accs, user) then
                        if authen then
-                               ctx.urltoken.stok = nil
                                local user, sess = authen(sys.user.checkpasswd, accs, def)
                                if not user or not util.contains(accs, user) then
                                        return
@@ -364,6 +371,7 @@ function dispatch(request)
 
                                        if sess then
                                                http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
+                                               http.redirect(build_url(unpack(ctx.requestpath)))
                                                ctx.authsession = sess
                                                ctx.authuser = user
                                        end
Lua Configuration Interface (mirror)