[fix] don't include ip in token, this is useless and make infinite redirection\n\nIt has been confirmed by a security friend that this was nearly useless here since the token is marked as Secure and can only be exchanged on https so if someone managed to steal it the user have way more important problems.

2024-09-03 20:06:27 +02:00 · 2017-05-17 21:48:19 +02:00 · 2017-05-17 21:48:19 +02:00 · 0c079c8502
commit 0c079c8502
parent 782d81fbfe
1 changed files with 2 additions and 4 deletions
--- a/helpers.lua
+++ b/helpers.lua
@ -133,8 +133,7 @@ function set_auth_cookie(user, domain)
        cache:add("session_"..user, session_key, conf["session_max_timeout"])
    end
    local hash = hmac_sha512(srvkey,
-               ngx.var.remote_addr..
-               "|"..user..
+               user..
               "|"..expire..
               "|"..session_key)
    local cookie_str = "; Domain=."..domain..
@ -202,8 +201,7 @@ function is_logged_in()
                if cache:get(user.."-password") then
                    authUser = user
                    local hash = hmac_sha512(srvkey,
-                            ngx.var.remote_addr..
-                            "|"..authUser..
+                            authUser..
                            "|"..expireTime..
                            "|"..session_key)
                    return hash == authHash