handlers/app.go: Removed Strict IP and User-Agent Session Validation
So, turns out validating stuff with these parameters is not a good idea at all. FML honestly.jocadbz
parent
7b0528ef36
commit
d2d64d69fc
GPG Key ID:
B1836DCE2F50BDF7
|
|
@ -1,11 +1,13 @@
|
||||||
package handlers
|
package handlers
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"database/sql"
|
"database/sql"
|
||||||
"html/template"
|
"html/template"
|
||||||
"net/http"
|
"log"
|
||||||
"github.com/gorilla/sessions"
|
"net/http"
|
||||||
|
|
||||||
|
"github.com/gorilla/sessions"
|
||||||
)
|
)
|
||||||
|
|
||||||
type PageData struct {
|
type PageData struct {
|
||||||
|
|
@ -46,24 +48,21 @@ func (app *App) SessionMW(next http.HandlerFunc) http.HandlerFunc {
|
||||||
HttpOnly: true,
|
HttpOnly: true,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if _, ok := session.Values["user_id"].(int); ok {
|
|
||||||
// Skip IP and User-Agent check for WebSocket connections
|
ctx := context.WithValue(r.Context(), "session", session)
|
||||||
if r.URL.Query().Get("ws") != "true" {
|
r = r.WithContext(ctx)
|
||||||
if session.Values["user_ip"] != r.RemoteAddr || session.Values["user_agent"] != r.UserAgent() {
|
|
||||||
session.Values = make(map[interface{}]interface{})
|
|
||||||
session.Options.MaxAge = -1
|
|
||||||
session.Save(r, w)
|
|
||||||
http.Redirect(w, r, app.Config.ThreadrDir+"/login/?error=session", http.StatusFound)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ctx := context.WithValue(r.Context(), "session", session)
|
|
||||||
r = r.WithContext(ctx)
|
|
||||||
} else {
|
|
||||||
ctx := context.WithValue(r.Context(), "session", session)
|
|
||||||
r = r.WithContext(ctx)
|
|
||||||
}
|
|
||||||
next(w, r)
|
next(w, r)
|
||||||
|
|
||||||
|
if err := session.Save(r, w); err != nil {
|
||||||
|
/*
|
||||||
|
Ok, so here's the thing
|
||||||
|
Errors coming from this function here "can" be ignored.
|
||||||
|
They mostly come from errors while setting cookies, so in some
|
||||||
|
environments this will trigger a lot, but they are harmless.
|
||||||
|
*/
|
||||||
|
log.Printf("Error saving session in SessionMW: %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -76,4 +75,4 @@ func (app *App) RequireLoginMW(next http.HandlerFunc) http.HandlerFunc {
|
||||||
}
|
}
|
||||||
next(w, r)
|
next(w, r)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Loading…
Reference in New Issue