X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fluci.git;a=blobdiff_plain;f=modules%2Fluci-base%2Fluasrc%2Fdispatcher.lua;h=bb02912f4b21543cec6524e49f030457b267683b;hp=df562dd5dadabfcc79439111bc900add4cd6d87a;hb=86326e0deff92a485ffd47e22ac70194abb3fd66;hpb=f23f7b8751bb36829fd2136dffadcfe1e702149a

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index df562dd5d..bb02912f4 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -113,24 +113,11 @@ function authenticator.htmlauth(validator, accs, default)
 		return user
 	end
 
-	if context.urltoken.stok then
-		context.urltoken.stok = nil
-
-		local cookie = 'sysauth=%s; expires=%s; path=%s/' %{
-		    http.getcookie('sysauth') or 'x',
-			'Thu, 01 Jan 1970 01:00:00 GMT',
-			build_url()
-		}
-
-		http.header("Set-Cookie", cookie)
-		http.redirect(build_url())
-	else
-		require("luci.i18n")
-		require("luci.template")
-		context.path = {}
-		http.status(403, "Forbidden")
-		luci.template.render("sysauth", {duser=default, fuser=user})
-	end
+	require("luci.i18n")
+	require("luci.template")
+	context.path = {}
+	http.status(403, "Forbidden")
+	luci.template.render("sysauth", {duser=default, fuser=user})
 
 	return false
 
@@ -151,18 +138,8 @@ function httpdispatch(request, prefix)
 		end
 	end
 
-	local tokensok = true
 	for node in pathinfo:gmatch("[^/]+") do
-		local tkey, tval
-		if tokensok then
-			tkey, tval = node:match(";(%w+)=([a-fA-F0-9]*)")
-		end
-		if tkey then
-			context.urltoken[tkey] = tval
-		else
-			tokensok = false
-			r[#r+1] = node
-		end
+		r[#r+1] = node
 	end
 
 	local stat, err = util.coxpcall(function()
@@ -311,13 +288,14 @@ function dispatch(request)
 		   resource    = luci.config.main.resourcebase;
 		   ifattr      = function(...) return _ifattr(...) end;
 		   attr        = function(...) return _ifattr(true, ...) end;
-		   token       = ctx.urltoken.stok;
 		   url         = build_url;
 		}, {__index=function(table, key)
 			if key == "controller" then
 				return build_url()
 			elseif key == "REQUEST_URI" then
 				return build_url(unpack(ctx.requestpath))
+			elseif key == "token" then
+				return ctx.authtoken
 			else
 				return rawget(table, key) or _G[key]
 			end
@@ -340,20 +318,17 @@ function dispatch(request)
 		local def  = (type(track.sysauth) == "string") and track.sysauth
 		local accs = def and {track.sysauth} or track.sysauth
 		local sess = ctx.authsession
-		local verifytoken = false
 		if not sess then
 			sess = http.getcookie("sysauth")
 			sess = sess and sess:match("^[a-f0-9]*$")
-			verifytoken = true
 		end
 
 		local sdat = (util.ubus("session", "get", { ubus_rpc_session = sess }) or { }).values
-		local user
+		local user, token
 
 		if sdat then
-			if not verifytoken or ctx.urltoken.stok == sdat.token then
-				user = sdat.user
-			end
+			user = sdat.user
+			token = sdat.token
 		else
 			local eu = http.getenv("HTTP_AUTH_USER")
 			local ep = http.getenv("HTTP_AUTH_PASS")
@@ -390,8 +365,8 @@ function dispatch(request)
 						   sess, build_url()
 						})
 
-						ctx.urltoken.stok = token
 						ctx.authsession = sess
+						ctx.authtoken = token
 						ctx.authuser = user
 
 						http.redirect(build_url(unpack(ctx.requestpath)))
@@ -403,6 +378,7 @@ function dispatch(request)
 			end
 		else
 			ctx.authsession = sess
+			ctx.authtoken = token
 			ctx.authuser = user
 		end
 	end
@@ -414,7 +390,7 @@ function dispatch(request)
 			return
 		end
 
-		if http.formvalue("token") ~= ctx.urltoken.stok then
+		if http.formvalue("token") ~= ctx.authtoken then
 			http.status(403, "Forbidden")
 			luci.template.render("csrftoken")
 			return