fix: 解决登录之后 cookie 没有刷新的漏洞

1Panel-dev · Jan 10, 2023 · 0f95c94 · 0f95c94
1 parent 0c6774b
commit 0f95c94
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/internal/api/v1/session/profile.go b/internal/api/v1/session/profile.go
@@ -7,7 +7,7 @@ import (
 	"github.com/kataras/iris/v12/context"
 )
 
-func (h Handler) UpdateProfile() iris.Handler {
+func (h *Handler) UpdateProfile() iris.Handler {
 	return func(ctx *context.Context) {
 		var req ProfileSetter
 		if err := ctx.ReadJSON(&req); err != nil {
@@ -50,7 +50,7 @@ func (h Handler) UpdateProfile() iris.Handler {
 		ctx.Values().Set("data", "ok")
 	}
 }
-func (h Handler) UpdatePassword() iris.Handler {
+func (h *Handler) UpdatePassword() iris.Handler {
 	return func(ctx *context.Context) {
 		var pass PasswordSetter
 		if err := ctx.ReadJSON(&pass); err != nil {

diff --git a/internal/api/v1/session/session.go b/internal/api/v1/session/session.go
@@ -4,6 +4,8 @@ import (
 	goContext "context"
 	"errors"
 	"fmt"
+	"github.com/google/uuid"
+	"github.com/kataras/iris/v12/sessions"
 	"strings"
 	"time"
 
@@ -76,11 +78,6 @@ func (h *Handler) IsLogin() iris.Handler {
 				return
 			}
 		} else {
-			if err := session.Man.ShiftExpiration(ctx); err != nil {
-				ctx.StatusCode(iris.StatusInternalServerError)
-				ctx.Values().Set("message", fmt.Errorf("shift expiration falied, err: %v", err))
-				return
-			}
 			ctx.StatusCode(iris.StatusOK)
 			ctx.Values().Set("data", loginUser != nil)
 		}
@@ -167,7 +164,12 @@ func (h *Handler) Login() iris.Handler {
 			ctx.Values().Set("token", token)
 			return
 		default:
-			session := server.SessionMgr.Start(ctx)
+			session := sessions.Get(ctx)
+			sId := ctx.GetCookie(server.SessionCookieName)
+			if sId != "" {
+				id, _ := uuid.NewRandom()
+				ctx.SetCookieKV(server.SessionCookieName, id.String())
+			}
 			session.Set("profile", profile)
 		}
 

diff --git a/internal/server/server.go b/internal/server/server.go
@@ -31,7 +31,7 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-const sessionCookieName = "SESS_COOKIE_KUBEPI"
+const SessionCookieName = "SESS_COOKIE_KUBEPI"
 
 var SessionMgr *sessions.Sessions
 
@@ -149,7 +149,7 @@ func (e *KubePiServer) setUpStaticFile() {
 }
 
 func (e *KubePiServer) setUpSession() {
-	SessionMgr = sessions.New(sessions.Config{Cookie: sessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour})
+	SessionMgr = sessions.New(sessions.Config{Cookie: SessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour})
 	e.rootRoute.Use(SessionMgr.Handler())
 }