Changeset 591

Timestamp:

02/12/14 17:57:06 (11 years ago)

Author:

Kris Deugau

Message:

/trunk

• Session-handling tweak; set cookies to expire so use of the Back button doesn't result in read-only access to everything.
• Fiddle group handling in session data and on constructing URLs; side effects possibly related to the session issue caused a user in a subgroup to get mistakenly fed data for the root group - except for the group list in the menu. Arguably security fixes; see #30.

File:

• trunk/dns.cgi (modified) (4 diffs)

trunk/dns.cgi

@@ -219 +219 @@
 my $sesscookie = $q->cookie( -name => 'dnsadmin_session',
         -value => $sid,
-#        -expires => "+".$dnsdb->{timeout},
+        -expires => "+".$dnsdb->{timeout},
         -secure => 0,
 ## fixme:  need to extract root path for cookie, so as to limit cookie to dnsadmin instance
@@ -242 +242 @@
       $sesscookie = $q->cookie( -name => 'dnsadmin_session',
         -value => $sid,
-#        -expires => "+".$dnsdb->{timeout},
+        -expires => "+".$dnsdb->{timeout},
         -secure => 0,
 ## fixme:  need to extract root path for cookie, so as to limit cookie to dnsadmin instance
@@ -254 +254 @@
       $session->param('uid',$userdata->{user_id});
       $session->param('username',$webvar{username});
+      $curgroup = $userdata->{group_id};
 
 # for reference.  seems we don't need to set these on login any more.
@@ -1818 +1819 @@
   $page->param(whereami => $uri_self);
 # fill in general URL-to-self
-  $page->param(script_self => "$ENV{SCRIPT_NAME}?".($curgroup ? "curgroup=$curgroup" : ''));
+  $page->param(script_self => "$ENV{SCRIPT_NAME}?");
 }