From 83d520ab07c05bb637d9ec35da590814064e51f8 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 26 Jan 2015 17:31:21 +0100 Subject: [PATCH] luci-base: improve login/logout handling Redirect to the canonical url after login and redirect to an url without security token if the session expired. Also make sure that the login page is served with status code 403, not 200 to give ajax calls a chance to detect expired sessions. Signed-off-by: Jo-Philipp Wich --- modules/luci-base/luasrc/dispatcher.lua | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 155d31b10..0cb3e7020 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -128,10 +128,18 @@ function authenticator.htmlauth(validator, accs, default) return user end - require("luci.i18n") - require("luci.template") - context.path = {} - luci.template.render("sysauth", {duser=default, fuser=user}) + if context.urltoken.stok then + context.urltoken.stok = nil + http.header("Set-Cookie", "sysauth=; path="..build_url()) + http.redirect(build_url()) + else + require("luci.i18n") + require("luci.template") + context.path = {} + http.status(403, "Forbidden") + luci.template.render("sysauth", {duser=default, fuser=user}) + end + return false end @@ -340,7 +348,6 @@ function dispatch(request) if not util.contains(accs, user) then if authen then - ctx.urltoken.stok = nil local user, sess = authen(sys.user.checkpasswd, accs, def) if not user or not util.contains(accs, user) then return @@ -364,6 +371,7 @@ function dispatch(request) if sess then http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url()) + http.redirect(build_url(unpack(ctx.requestpath))) ctx.authsession = sess ctx.authuser = user end -- 2.11.0