Quick fix for CDA security issue

2024-09-03 20:06:27 +02:00 · 2017-05-17 10:44:26 +02:00 · 2017-05-17 10:44:26 +02:00 · fc52f05459
commit fc52f05459
parent 98a6879ab4
2 changed files with 3 additions and 3 deletions
--- a/access.lua
+++ b/access.lua
@ -41,11 +41,11 @@ if ngx.var.host ~= conf["portal_domain"] and ngx.var.request_method == "GET" the

        -- Use the `cache` shared table where a username is associated with
        -- a CDA key
-        user = cache:get(cda_key)
+        user = cache:get("CDA|"..cda_key)
        if user then
            hlp.set_auth_cookie(user, ngx.var.host)
            ngx.log(ngx.NOTICE, "Cross-domain authentication: "..user.." connected on "..ngx.var.host)
-            cache:delete(cda_key)
+            cache:delete("CDA|"..cda_key)
        end

        uri_args[conf.login_arg] = nil
--- a/helpers.lua
+++ b/helpers.lua
@ -108,7 +108,7 @@ end
 -- Set the Cross-Domain-Authentication key for a specific user
 function set_cda_key()
    local cda_key = random_string()
-    cache:set(cda_key, authUser, 10)
+    cache:set("CDA|"..cda_key, authUser, 10)
    return cda_key
 end