Modified logonredirect to discard get/post data when don't follow login redirect.

2 files changed, 9 insertions, 1 deletions

diff --git a/app/acf-util/logon-controller.lua b/app/acf-util/logon-controller.lua
index c8cd82a..d71d257 100644
--- a/app/acf-util/logon-controller.lua
+++ b/app/acf-util/logon-controller.lua
@@ -22,6 +22,7 @@ logon = function(self)
 	local redir = cfe({ value=clientdata.redir or "/welcome/read", label="" })
 	local cmdresult = cfe({ type="form", value={userid=userid, password=password, redir=redir}, label="Logon", option="Logon" })
 	if clientdata.Logon then
+		local logonredirect = self.sessiondata.logonredirect
 		local logon = self.model:logon(clientdata.userid, clientdata.password, conf.clientip, conf.sessiondir, sessiondata)
 		-- If successful logon, redirect to welcome-page, otherwise try again
 		if logon.value then
@@ -31,6 +32,13 @@ logon = function(self)
 		end
 		cmdresult = self:redirect_to_referrer(cmdresult)
 		if logon.value then
+			-- only copy the logonredirect if redirecting to that page
+			if logonredirect and cmdresult.value.redir.value then
+				local prefix, controller, action = self.parse_path_info("/"..cmdresult.value.redir.value)
+				if logonredirect.action == action and logonredirect.controller == controller then
+					self.sessiondata.logonredirect = logonredirect
+				end
+			end
 			redirect(self, cmdresult.value.redir.value)
 		end
 	else
diff --git a/app/acf-util/logon-model.lua b/app/acf-util/logon-model.lua
index 34aa46e..c110ee6 100644
--- a/app/acf-util/logon-model.lua
+++ b/app/acf-util/logon-model.lua
@@ -39,7 +39,7 @@ logon = function (self, userid, password, ip_addr, sessiondir, sessiondata)
 			session.unlink_session(sessiondir, sessiondata.id)
 			-- Clear the current session data
 			for a,b in pairs(sessiondata) do
-				if a ~= "id" and a ~= "logonredirect" then sessiondata[a] = nil end
+				if a ~= "id" then sessiondata[a] = nil end
 			end
 			--]]
 			sessiondata.id = session.random_hash(512)