YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] don't include ip in token, this is useless and make infinite redirection\n\nIt has been confirmed by a security friend that this was nearly useless here since the token is marked as Secure and can only be exchanged on https so if someone managed to steal it the user have way more important problems.

Browse source
This commit is contained in:
Laurent Peuch 2017-05-17 21:48:19 +02:00 committed by opi
parent 2456eda200
commit 98a6879ab4
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
helpers.lua
View file

@ -133,8 +133,7 @@ function set_auth_cookie(user, domain)
cache:add("session_"..user, session_key, conf["session_max_timeout"]) cache:add("session_"..user, session_key, conf["session_max_timeout"])
end end
local hash = hmac_sha512(srvkey, local hash = hmac_sha512(srvkey,
ngx.var.remote_addr.. user..
"|"..user..
"|"..expire.. "|"..expire..
"|"..session_key) "|"..session_key)
local cookie_str = "; Domain=."..domain.. local cookie_str = "; Domain=."..domain..
@ -202,8 +201,7 @@ function is_logged_in()
if cache:get(user.."-password") then if cache:get(user.."-password") then
authUser = user authUser = user
local hash = hmac_sha512(srvkey, local hash = hmac_sha512(srvkey,
ngx.var.remote_addr.. authUser..
"|"..authUser..
"|"..expireTime.. "|"..expireTime..
"|"..session_key) "|"..session_key)
return hash == authHash return hash == authHash