rmalley
/
smr
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix CSRF 

Domain name was hardcoded, use the config file instead.
This commit is contained in:
Robin Malley 2021-04-09 19:16:36 +00:00
parent fd87cf95ee
commit 9e51de6c8e
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/lua/endpoints/login_post.lua
View File

@ -35,8 +35,9 @@ local function login_post(req)
local hash = sha3(todigest)
if hash == passhash then
local mysession = session.start(id)
local domain_no_port = config.domain:match("(.*):.*")
http_response_header(req,"set-cookie",string.format(
[[session=%s; SameSite=Lax; Path=/; Domain=test.monster; HttpOnly; Secure]],mysession
[[session=%s; SameSite=Lax; Path=/; Domain=%s; HttpOnly; Secure]],mysession,domain_no_port
))
local loc = string.format("https://%s.%s",name,config.domain)
http_response_header(req,"Location",loc)