Fix CSRF
Domain name was hardcoded, use the config file instead.
This commit is contained in:
parent
fd87cf95ee
commit
9e51de6c8e
|
@ -35,8 +35,9 @@ local function login_post(req)
|
||||||
local hash = sha3(todigest)
|
local hash = sha3(todigest)
|
||||||
if hash == passhash then
|
if hash == passhash then
|
||||||
local mysession = session.start(id)
|
local mysession = session.start(id)
|
||||||
|
local domain_no_port = config.domain:match("(.*):.*")
|
||||||
http_response_header(req,"set-cookie",string.format(
|
http_response_header(req,"set-cookie",string.format(
|
||||||
[[session=%s; SameSite=Lax; Path=/; Domain=test.monster; HttpOnly; Secure]],mysession
|
[[session=%s; SameSite=Lax; Path=/; Domain=%s; HttpOnly; Secure]],mysession,domain_no_port
|
||||||
))
|
))
|
||||||
local loc = string.format("https://%s.%s",name,config.domain)
|
local loc = string.format("https://%s.%s",name,config.domain)
|
||||||
http_response_header(req,"Location",loc)
|
http_response_header(req,"Location",loc)
|
||||||
|
|
Loading…
Reference in New Issue