root
/
threadr.lostcave.ddnss.de
3
1
Fork 2
Code Issues 1 Pull Requests Projects Releases Wiki Activity

handlers/app.go: Removed Strict IP and User-Agent Session Validation 

So, turns out validating stuff with these parameters is not a good idea at all. FML honestly.
jocadbz
Joca 2025-06-29 21:24:28 -03:00
parent 7b0528ef36
commit d2d64d69fc
Signed by: jocadbz
GPG Key ID: B1836DCE2F50BDF7
1 changed files with 22 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
handlers/app.go
View File

@ -1,11 +1,13 @@
package handlers
import (
"context"
"database/sql"
"html/template"
"net/http"
"github.com/gorilla/sessions"
"context"
"database/sql"
"html/template"
"log"
"net/http"
"github.com/gorilla/sessions"
)
type PageData struct {
@ -46,24 +48,21 @@ func (app *App) SessionMW(next http.HandlerFunc) http.HandlerFunc {
HttpOnly: true,
}
}
if _, ok := session.Values["user_id"].(int); ok {
// Skip IP and User-Agent check for WebSocket connections
if r.URL.Query().Get("ws") != "true" {
if session.Values["user_ip"] != r.RemoteAddr || session.Values["user_agent"] != r.UserAgent() {
session.Values = make(map[interface{}]interface{})
session.Options.MaxAge = -1
session.Save(r, w)
http.Redirect(w, r, app.Config.ThreadrDir+"/login/?error=session", http.StatusFound)
return
}
}
ctx := context.WithValue(r.Context(), "session", session)
r = r.WithContext(ctx)
} else {
ctx := context.WithValue(r.Context(), "session", session)
r = r.WithContext(ctx)
}
ctx := context.WithValue(r.Context(), "session", session)
r = r.WithContext(ctx)
next(w, r)
if err := session.Save(r, w); err != nil {
/*
Ok, so here's the thing
Errors coming from this function here "can" be ignored.
They mostly come from errors while setting cookies, so in some
environments this will trigger a lot, but they are harmless.
*/
log.Printf("Error saving session in SessionMW: %v", err)
}
}
}
@ -76,4 +75,4 @@ func (app *App) RequireLoginMW(next http.HandlerFunc) http.HandlerFunc {
}
next(w, r)
}
}
}