From 98a6879ab4d39e1130ec29393c04e50663735c81 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Wed, 17 May 2017 21:48:19 +0200
Subject: [PATCH] [fix] don't include ip in token, this is useless and make
 infinite redirection\n\nIt has been confirmed by a security friend that this
 was nearly useless here since the token is marked as Secure and can only be
 exchanged on https so if someone managed to steal it the user have way more
 important problems.

---
 helpers.lua | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index f460122..41e8f37 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -133,8 +133,7 @@ function set_auth_cookie(user, domain)
         cache:add("session_"..user, session_key, conf["session_max_timeout"])
     end
     local hash = hmac_sha512(srvkey,
-               ngx.var.remote_addr..
-               "|"..user..
+               user..
                "|"..expire..
                "|"..session_key)
     local cookie_str = "; Domain=."..domain..
@@ -202,8 +201,7 @@ function is_logged_in()
                 if cache:get(user.."-password") then
                     authUser = user
                     local hash = hmac_sha512(srvkey,
-                            ngx.var.remote_addr..
-                            "|"..authUser..
+                            authUser..
                             "|"..expireTime..
                             "|"..session_key)
                     return hash == authHash