mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
[fix] don't include ip in token, this is useless and make infinite redirection\n\nIt has been confirmed by a security friend that this was nearly useless here since the token is marked as Secure and can only be exchanged on https so if someone managed to steal it the user have way more important problems.
This commit is contained in:
parent
2456eda200
commit
98a6879ab4
1 changed files with 2 additions and 4 deletions
|
@ -133,8 +133,7 @@ function set_auth_cookie(user, domain)
|
||||||
cache:add("session_"..user, session_key, conf["session_max_timeout"])
|
cache:add("session_"..user, session_key, conf["session_max_timeout"])
|
||||||
end
|
end
|
||||||
local hash = hmac_sha512(srvkey,
|
local hash = hmac_sha512(srvkey,
|
||||||
ngx.var.remote_addr..
|
user..
|
||||||
"|"..user..
|
|
||||||
"|"..expire..
|
"|"..expire..
|
||||||
"|"..session_key)
|
"|"..session_key)
|
||||||
local cookie_str = "; Domain=."..domain..
|
local cookie_str = "; Domain=."..domain..
|
||||||
|
@ -202,8 +201,7 @@ function is_logged_in()
|
||||||
if cache:get(user.."-password") then
|
if cache:get(user.."-password") then
|
||||||
authUser = user
|
authUser = user
|
||||||
local hash = hmac_sha512(srvkey,
|
local hash = hmac_sha512(srvkey,
|
||||||
ngx.var.remote_addr..
|
authUser..
|
||||||
"|"..authUser..
|
|
||||||
"|"..expireTime..
|
"|"..expireTime..
|
||||||
"|"..session_key)
|
"|"..session_key)
|
||||||
return hash == authHash
|
return hash == authHash
|
||||||
|
|
Loading…
Reference in a new issue