From ec1a86977b1dc5cfc1c24ab1d54205531404087b Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 9 Feb 2015 16:30:11 +0100 Subject: [PATCH] Avoid setting duplicate cookies Signed-off-by: Jo-Philipp Wich --- modules/luci-base/luasrc/dispatcher.lua | 24 ++++++++++++++----- .../luasrc/controller/admin/index.lua | 14 +++++++---- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index f92af528e1..8b8d1fa349 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default) if context.urltoken.stok then context.urltoken.stok = nil - http.header("Set-Cookie", "sysauth=; path="..build_url()) + + local cookie = 'sysauth=%s; expires=%s; path=%s/' %{ + http.getcookie('sysauth') or 'x', + 'Thu, 01 Jan 1970 01:00:00 GMT', + build_url() + } + + http.header("Set-Cookie", cookie) http.redirect(build_url()) else require("luci.i18n") @@ -329,13 +336,14 @@ function dispatch(request) if not util.contains(accs, user) then if authen then local user, sess = authen(sys.user.checkpasswd, accs, def) + local token if not user or not util.contains(accs, user) then return else if not sess then local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) }) if sdat then - local token = sys.uniqueid(16) + token = sys.uniqueid(16) util.ubus("session", "set", { ubus_rpc_session = sdat.ubus_rpc_session, values = { @@ -345,15 +353,19 @@ function dispatch(request) } }) sess = sdat.ubus_rpc_session - ctx.urltoken.stok = token end end - if sess then - http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url()) - http.redirect(build_url(unpack(ctx.requestpath))) + if sess and token then + http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{ + sess, build_url() + }) + + ctx.urltoken.stok = token ctx.authsession = sess ctx.authuser = user + + http.redirect(build_url(unpack(ctx.requestpath))) end end else diff --git a/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua b/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua index 74a3fd9adc..d00d546b64 100644 --- a/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua +++ b/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua @@ -28,13 +28,17 @@ end function action_logout() local dsp = require "luci.dispatcher" local utl = require "luci.util" - if dsp.context.authsession then - utl.ubus("session", "destroy", { - ubus_rpc_session = dsp.context.authsession - }) + local sid = dsp.context.authsession + + if sid then + utl.ubus("session", "destroy", { ubus_rpc_session = sid }) + dsp.context.urltoken.stok = nil + + luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s/" %{ + sid, 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url() + }) end - luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url()) luci.http.redirect(luci.dispatcher.build_url()) end -- 2.30.2