Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
- require("luci.i18n")
- require("luci.template")
- context.path = {}
- luci.template.render("sysauth", {duser=default, fuser=user})
+ if context.urltoken.stok then
+ context.urltoken.stok = nil
+ http.header("Set-Cookie", "sysauth=; path="..build_url())
+ http.redirect(build_url())
+ else
+ require("luci.i18n")
+ require("luci.template")
+ context.path = {}
+ http.status(403, "Forbidden")
+ luci.template.render("sysauth", {duser=default, fuser=user})
+ end
+
if not util.contains(accs, user) then
if authen then
if not util.contains(accs, user) then
if authen then
- ctx.urltoken.stok = nil
local user, sess = authen(sys.user.checkpasswd, accs, def)
if not user or not util.contains(accs, user) then
return
local user, sess = authen(sys.user.checkpasswd, accs, def)
if not user or not util.contains(accs, user) then
return
if sess then
http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
if sess then
http.header("Set-Cookie", "sysauth=" .. sess.."; path="..build_url())
+ http.redirect(build_url(unpack(ctx.requestpath)))
ctx.authsession = sess
ctx.authuser = user
end
ctx.authsession = sess
ctx.authuser = user
end