luci/libs/web/luasrc/sauth.lua, branch 0.11.1 Lua Configuration Interface (mirror) https://git.openwrt.org/project/luci/atom?h=0.11.1 2012-08-08T09:48:47Z libs/web: rework luci.sauth 2012-08-08T09:48:47Z Jo-Philipp Wich 2012-08-08T09:48:47Z urn:sha1:abef50b85238f9effd7e6d6b3195358a84e56ecc - perform decoding/encoding transparently in read() and write() - remove decode() and encode() helpers - introduce reap() to kill expired sessions Rework authentication system 2012-08-07T19:11:56Z Jo-Philipp Wich 2012-08-07T19:11:56Z urn:sha1:a58370ab74aebca6871b1524a655f7bb5086e0a6 The validity of authentication tokens was determined by the mtime of respective authentication tokens on filesystem stored in $sessionpath. Talking about hardware without RTC or without a prior connection to a time server, date/time usually around 1970 - so is the mtime of the authentication token file in $sessionpath. When now configuring an internet connection via LuCI, the system might fetch the current date/time (e.g. via ntp) which invalidates the token, returns "403 Forbidden" and kicks the user out of the interface. This patch changes the authentication system to use time values based on the uptime of the machine - rather than values based upon gettimeofday() and {a|m}time values - and save them inside the token. That way can always determine the difference between login (last interaction respectively) and the current time, in- dependant of the system clock jumping backwards/forwards. Warning: This patch removes the clean() function and respective calls. This means, invalid tokens will NOT be determined and removed from filesystem automatically anymore. Before, every HTTP-call caused a scan for invalid tokens, which is quite expensive. Instead consider using a cron job deleting all stalled files periodically. Contributed by T-Labs, Deutsche Telekom Innovation Laboratories Signed-off-by: Mirko Vogt <mirko@openwrt.org> Typo 2009-07-31T17:08:59Z Steven Barth 2009-07-31T17:08:59Z urn:sha1:8b65a44fe8977908d2b7206feb601b696f276c44 Fix cookie logout 2009-07-31T17:08:18Z Steven Barth 2009-07-31T17:08:18Z urn:sha1:f648ab3445df562bc3d4c607d86f19f5bc65794e convert luci.fs users to nixio.fs api 2009-07-19T00:24:58Z Jo-Philipp Wich 2009-07-19T00:24:58Z urn:sha1:8fcd841aa9af96c8a4a4d3c1a555d2d1ed42332c Drop support for luaposix and bitlib (obsoleted by nixio) 2009-06-21T13:42:26Z Steven Barth 2009-06-21T13:42:26Z urn:sha1:30b216f774c2404a965807ddb93a4a4b2aaeac04 Mark luci.fs as deprecated Added luci.sauth.kill, sanitize luci.sauth even more 2008-12-14T21:42:59Z Steven Barth 2008-12-14T21:42:59Z urn:sha1:8b978f79fca72d3d8d76a1fb147addea2d7e3ded Inprove sanity check for luci.sauth.read 2008-09-05T14:52:06Z Steven Barth 2008-09-05T14:52:06Z urn:sha1:c03bde275f48bfc1711a2fcae9b09e3b83fe27ec Fixed some minor session handling issues 2008-09-05T14:28:36Z Steven Barth 2008-09-05T14:28:36Z urn:sha1:e2e1cf54974c5276ba8e874c2029857e8f97629a libs/web: Added several sanity checks to avoid local privilege escalation 2008-09-01T16:05:34Z Steven Barth 2008-09-01T16:05:34Z urn:sha1:bb8137062f3ea698d39ca25b86b44b9c3cc12dde