Fix two bugs related to session lockout.

Parse the lockevent filename, was seeing user locked out because username was substring of another username.
All active sessions were killed whenever anyone got locked out because of error with username processing.

2 files changed, 4 insertions, 3 deletions

diff --git a/app/acf_www-controller.lua b/app/acf_www-controller.lua
index 8878a8b..ee41bb9 100644
--- a/app/acf_www-controller.lua
+++ b/app/acf_www-controller.lua
@@ -281,7 +281,7 @@ mvc.on_load = function (self, parent)
 		else
 			--logevent("Found session")
 			-- We read in a valid session, check if it's ok
-			if sessionlib.count_events(self.conf.sessiondir,self.conf.userid or "", sessionlib.hash_ip_addr(self.conf.clientip), self.conf.lockouttime, self.conf.lockouteventlimit) then
+			if self.sessiondata.userinfo and self.sessiondata.userinfo.userid and sessionlib.count_events(self.conf.sessiondir, self.sessiondata.userinfo.userid, sessionlib.hash_ip_addr(self.conf.clientip), self.conf.lockouttime, self.conf.lockouteventlimit) then
 				--logevent("Bad session, erasing")
 				-- Too many events on this id / ip, kill the session
 				sessionlib.unlink_session(self.conf.sessiondir, self.clientdata.sessionid)
diff --git a/lib/session.lua b/lib/session.lua
index f55f2bf..146c0e9 100644
--- a/lib/session.lua
+++ b/lib/session.lua
@@ -208,9 +208,10 @@ count_events =	function (sessionpath, id_user, ipaddr, minutes, limit)
 		return false
 	else
 		local count = 0
-		for a,b in pairs(t) do 
+		for a,b in pairs(t) do
 			if posix.stat(b,"mtime") > minutes_ago then
-				if string.match(b,id_user) or string.match(b,ipaddr) then
+				local user, ip = string.match(b, "/lockevent%.([^.]*)%.([^.]*)%.")
+				if id_user == user or ipaddr == ip then
 					count = count + 1
 				end
 			end