diff options
| author | Mike Mason <ms13sp@gmail.com> | 2008-01-29 21:00:22 +0000 |
|---|---|---|
| committer | Mike Mason <ms13sp@gmail.com> | 2008-01-29 21:00:22 +0000 |
| commit | 16dec62905c7e8580bff7ef5f75c29b29409d105 (patch) | |
| tree | 89da66e6fe2f58f4446cee73a07eb0d55e147ada | |
| parent | 51821a9b89c2e79a683dcd4ff29b3ffc2921d2e2 (diff) | |
| download | acf-core-16dec62905c7e8580bff7ef5f75c29b29409d105.tar.bz2 acf-core-16dec62905c7e8580bff7ef5f75c29b29409d105.tar.xz | |
Updated changes hopefully meeting most of the security checks/validation items in nangel's list
git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@663 ab2d0c66-481e-0410-8bed-d214d4d58bed
| -rw-r--r-- | app/acf-util/logon-model.lua | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/app/acf-util/logon-model.lua b/app/acf-util/logon-model.lua index 5eaf93b..abbbfd2 100644 --- a/app/acf-util/logon-model.lua +++ b/app/acf-util/logon-model.lua @@ -20,20 +20,37 @@ else auth = require ("authenticator-plaintext") end - logon = function (self, id_user, password_user,sessdata ) -session.expired_events(conf.sessiondir, minutes_expired_events) local userid=cfe({ name="userid",type="text" }) local password=cfe({ name="password" ,type="password"}) local logon=cfe({ name="Logon", type="submit"}) local s = "" -if session.check_session(conf.sessiondir, sessdata) ~= "an unknown user" then -userid.errtxt="Currently logged onto the system. Please Logoff" +local csess = session.check_session(conf.sessiondir, sessdata) +if csess ~= "an unknown user" then +session.unlink_session(conf.sessiondir, sessdata) +for a,b in pairs(sessiondata) do +sessiondata[a] = nil +end +sessiondata.id = session.random_hash(512) end +local counteven = session.count_events(conf.sessiondir, id_user, session.hash_ip_addr(ENV["REMOTE_ADDR"]), minutes_count_events) + +if counteven > limit_count_events then +userid.errtxt="Information not recognized" +return (cfe {type="form", + option={script=ENV["SCRIPT_NAME"], + prefix=self.conf.prefix, + controller=self.conf.controller, + action="logon" }, + value={userid,password,logon},testme={counteven} + }) +end + +session.expired_events(conf.sessiondir, minutes_expired_events) if id_user and password_user then - if auth.authenticate (self, id_user, password_user) then + if auth.authenticate (self, id_user, password_user) then local t = auth.get_userinfo (self, id_user) sessiondata.id = session.random_hash(512) sessiondata.userinfo = t or {} @@ -43,14 +60,14 @@ end self.conf.controller="logon" error(self.conf) else - userid.errtxt = "Invalid Attempt" - session.record_event(conf.sessiondir, id_user) + userid.errtxt = "Information not recognized" + session.record_event(conf.sessiondir, id_user, session.hash_ip_addr(ENV["REMOTE_ADDR"])) return (cfe {type="form", option={script=ENV["SCRIPT_NAME"], prefix=self.conf.prefix, controller=self.conf.controller, action="logon" }, - value={userid,password,logon} + value={userid,password,logon},testme={counteven} }) end else @@ -59,7 +76,7 @@ end prefix=self.conf.prefix, controller=self.conf.controller, action="logon" } , - value={userid,password,logon} + value={userid,password,logon},testme={counteven} }) end end |