|
| |
195 |
195 |
|
|
|
| |
196 |
196 |
set persistent_p [expr {$default_persistent_login_p == 1 ? "t" : ""}] |
|
|
| |
197 |
197 |
|
|
| |
198 |
|
# One common problem with login is that people can hit the back button |
|
|
| |
199 |
|
# after a user logs out and relogin by using the cached password in |
|
|
| |
200 |
|
# the browser. We generate a unique hashed timestamp so that users |
|
|
| |
201 |
|
# cannot use the back button. |
|
|
| |
202 |
|
|
|
|
| |
|
198 |
# |
|
|
| |
|
199 |
# A common issue occurs when users press the back button after |
|
|
| |
|
200 |
# logging out, potentially reusing cached credentials. To prevent |
|
|
| |
|
201 |
# this, we generate a unique hashed timestamp, ensuring that |
|
|
| |
|
202 |
# cached pages cannot be used to bypass the login process. |
|
|
| |
|
203 |
# |
|
|
| |
203 |
204 |
set time [ns_time] |
|
|
| |
204 |
205 |
set token_id [sec_get_random_cached_token_id] |
|
|
| |
205 |
206 |
set token [sec_get_token $token_id] |
| |
|
|
| |
216 |
217 |
-package_id $::acs::kernel_id \ |
|
|
| |
217 |
218 |
-default 0] ;# was 600 |
|
|
| |
218 |
219 |
# |
|
|
| |
219 |
|
# Just check the expiration time, when the configured value is > |
|
|
| |
220 |
|
# 0. The old trick with the expiration time of the login page is |
|
|
| |
221 |
|
# not an issue of modern browsers, since the login page takes |
|
|
| |
222 |
|
# already care of avoiding caching. |
|
|
| |
|
220 |
# Only enforce the expiration time check when the configured value |
|
|
| |
|
221 |
# is greater than 0. Modern browsers already handle cache control |
|
|
| |
|
222 |
# for the login page, so the old workaround using a short |
|
|
| |
|
223 |
# expiration time to prevent caching is no longer necessary. |
|
|
| |
223 |
224 |
# |
|
|
| |
224 |
225 |
if { $expiration_time > 0 } { |
|
|
| |
225 |
226 |
if { $expiration_time < 30 } { |
|
|
| |
226 |
227 |
# |
|
|
| |
227 |
|
# Sanity check: If expiration_time is less than 30 seconds, |
|
|
| |
228 |
|
# it's practically impossible to login and you will have |
|
|
| |
229 |
|
# completely hosed login on your entire site |
|
|
| |
|
228 |
# Sanity check: If the expiration_time is less than 30 seconds, |
|
|
| |
|
229 |
# logging-in becomes virtually impossible, potentially breaking |
|
|
| |
|
230 |
# authentication across the entire site. |
|
|
| |
230 |
231 |
# |
|
|
| |
231 |
232 |
ns_log warning "login: fix invalid setting of kernel parameter LoginPageExpirationTime \ |
|
|
| |
232 |
233 |
(value $expiration_time); must be at least 30 (secs)" |