[fix] don't include ip in token, this is useless and make infinite redirection\n\nIt has been confirmed by a security friend that this was nearly useless here since the token is marked as Secure and can only be exchanged on https so if someone managed to steal it the user have way more important problems.

2024-09-03 20:06:27 +02:00 · 2017-05-17 21:48:19 +02:00 · 2017-05-17 21:48:19 +02:00 · 98a6879ab4
commit 98a6879ab4
parent 2456eda200
1 changed files with 2 additions and 4 deletions
--- a/helpers.lua
+++ b/helpers.lua
@ -133,8 +133,7 @@ function set_auth_cookie(user, domain)
        cache:add("session_"..user, session_key, conf["session_max_timeout"])
    end
    local hash = hmac_sha512(srvkey,
-               ngx.var.remote_addr..
-               "|"..user..
+               user..
               "|"..expire..
               "|"..session_key)
    local cookie_str = "; Domain=."..domain..
@ -202,8 +201,7 @@ function is_logged_in()
                if cache:get(user.."-password") then
                    authUser = user
                    local hash = hmac_sha512(srvkey,
-                            ngx.var.remote_addr..
-                            "|"..authUser..
+                            authUser..
                            "|"..expireTime..
                            "|"..session_key)
                    return hash == authHash