Avoid setting duplicate cookies
authorJo-Philipp Wich <jow@openwrt.org>
Mon, 9 Feb 2015 15:30:11 +0000 (16:30 +0100)
committerJo-Philipp Wich <jow@openwrt.org>
Mon, 9 Feb 2015 15:30:11 +0000 (16:30 +0100)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
modules/luci-base/luasrc/dispatcher.lua
modules/luci-mod-admin-full/luasrc/controller/admin/index.lua

index f92af528e1a4af362c261baf066c03ba1e58f639..8b8d1fa3499cf03ce6c2542b67844bf39527bfff 100644 (file)
@@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default)
 
        if context.urltoken.stok then
                context.urltoken.stok = nil
-               http.header("Set-Cookie", "sysauth=; path="..build_url())
+
+               local cookie = 'sysauth=%s; expires=%s; path=%s/' %{
+                   http.getcookie('sysauth') or 'x',
+                       'Thu, 01 Jan 1970 01:00:00 GMT',
+                       build_url()
+               }
+
+               http.header("Set-Cookie", cookie)
                http.redirect(build_url())
        else
                require("luci.i18n")
@@ -329,13 +336,14 @@ function dispatch(request)
                if not util.contains(accs, user) then
                        if authen then
                                local user, sess = authen(sys.user.checkpasswd, accs, def)
+                               local token
                                if not user or not util.contains(accs, user) then
                                        return
                                else
                                        if not sess then
                                                local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) })
                                                if sdat then
-                                                       local token = sys.uniqueid(16)
+                                                       token = sys.uniqueid(16)
                                                        util.ubus("session", "set", {
                                                                ubus_rpc_session = sdat.ubus_rpc_session,
                                                                values = {
@@ -345,15 +353,19 @@ function dispatch(request)
                                                                }
                                                        })
                                                        sess = sdat.ubus_rpc_session
-                                                       ctx.urltoken.stok = token
                                                end
                                        end
 
-                                       if sess then
-                                               http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
-                                               http.redirect(build_url(unpack(ctx.requestpath)))
+                                       if sess and token then
+                                               http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{
+                                                  sess, build_url()
+                                               })
+
+                                               ctx.urltoken.stok = token
                                                ctx.authsession = sess
                                                ctx.authuser = user
+
+                                               http.redirect(build_url(unpack(ctx.requestpath)))
                                        end
                                end
                        else
index 74a3fd9adc7c41181082596745ce17c4881d2bd6..d00d546b649b37eb195aff734372de4d4d6e4821 100644 (file)
@@ -28,13 +28,17 @@ end
 function action_logout()
        local dsp = require "luci.dispatcher"
        local utl = require "luci.util"
-       if dsp.context.authsession then
-               utl.ubus("session", "destroy", {
-                       ubus_rpc_session = dsp.context.authsession
-               })
+       local sid = dsp.context.authsession
+
+       if sid then
+               utl.ubus("session", "destroy", { ubus_rpc_session = sid })
+
                dsp.context.urltoken.stok = nil
+
+               luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s/" %{
+                       sid, 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url()
+               })
        end
 
-       luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url())
        luci.http.redirect(luci.dispatcher.build_url())
 end