From ec1a86977b1dc5cfc1c24ab1d54205531404087b Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Mon, 9 Feb 2015 16:30:11 +0100
Subject: [PATCH] Avoid setting duplicate cookies

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---
 modules/luci-base/luasrc/dispatcher.lua            | 24 ++++++++++++++++------
 .../luasrc/controller/admin/index.lua              | 14 ++++++++-----
 2 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index f92af528e..8b8d1fa34 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -114,7 +114,14 @@ function authenticator.htmlauth(validator, accs, default)
 
 	if context.urltoken.stok then
 		context.urltoken.stok = nil
-		http.header("Set-Cookie", "sysauth=; path="..build_url())
+
+		local cookie = 'sysauth=%s; expires=%s; path=%s/' %{
+		    http.getcookie('sysauth') or 'x',
+			'Thu, 01 Jan 1970 01:00:00 GMT',
+			build_url()
+		}
+
+		http.header("Set-Cookie", cookie)
 		http.redirect(build_url())
 	else
 		require("luci.i18n")
@@ -329,13 +336,14 @@ function dispatch(request)
 		if not util.contains(accs, user) then
 			if authen then
 				local user, sess = authen(sys.user.checkpasswd, accs, def)
+				local token
 				if not user or not util.contains(accs, user) then
 					return
 				else
 					if not sess then
 						local sdat = util.ubus("session", "create", { timeout = tonumber(luci.config.sauth.sessiontime) })
 						if sdat then
-							local token = sys.uniqueid(16)
+							token = sys.uniqueid(16)
 							util.ubus("session", "set", {
 								ubus_rpc_session = sdat.ubus_rpc_session,
 								values = {
@@ -345,15 +353,19 @@ function dispatch(request)
 								}
 							})
 							sess = sdat.ubus_rpc_session
-							ctx.urltoken.stok = token
 						end
 					end
 
-					if sess then
-						http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
-						http.redirect(build_url(unpack(ctx.requestpath)))
+					if sess and token then
+						http.header("Set-Cookie", 'sysauth=%s; path=%s/' %{
+						   sess, build_url()
+						})
+
+						ctx.urltoken.stok = token
 						ctx.authsession = sess
 						ctx.authuser = user
+
+						http.redirect(build_url(unpack(ctx.requestpath)))
 					end
 				end
 			else
diff --git a/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua b/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua
index 74a3fd9ad..d00d546b6 100644
--- a/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua
+++ b/modules/luci-mod-admin-full/luasrc/controller/admin/index.lua
@@ -28,13 +28,17 @@ end
 function action_logout()
 	local dsp = require "luci.dispatcher"
 	local utl = require "luci.util"
-	if dsp.context.authsession then
-		utl.ubus("session", "destroy", {
-			ubus_rpc_session = dsp.context.authsession
-		})
+	local sid = dsp.context.authsession
+
+	if sid then
+		utl.ubus("session", "destroy", { ubus_rpc_session = sid })
+
 		dsp.context.urltoken.stok = nil
+
+		luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s/" %{
+			sid, 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url()
+		})
 	end
 
-	luci.http.header("Set-Cookie", "sysauth=; path=" .. dsp.build_url())
 	luci.http.redirect(luci.dispatcher.build_url())
 end
-- 
2.11.0