fix: 解决登录之后 cookie 没有刷新的漏洞

zhengkunwang223 · zhengkunwang223 · commit 1e9c550356c1 · 2023-01-11T14:06:47.000+08:00
diff --git a/internal/api/v1/session/profile.go b/internal/api/v1/session/profile.go
@@ -7,7 +7,7 @@ import (
 	"github.com/kataras/iris/v12/context"
 )
 
-func (h Handler) UpdateProfile() iris.Handler {
+func (h *Handler) UpdateProfile() iris.Handler {
 	return func(ctx *context.Context) {
 		var req ProfileSetter
 		if err := ctx.ReadJSON(&req); err != nil {
@@ -50,7 +50,7 @@ func (h Handler) UpdateProfile() iris.Handler {
 		ctx.Values().Set("data", "ok")
 	}
 }
-func (h Handler) UpdatePassword() iris.Handler {
+func (h *Handler) UpdatePassword() iris.Handler {
 	return func(ctx *context.Context) {
 		var pass PasswordSetter
 		if err := ctx.ReadJSON(&pass); err != nil {
diff --git a/internal/api/v1/session/session.go b/internal/api/v1/session/session.go
@@ -76,11 +76,6 @@ func (h *Handler) IsLogin() iris.Handler {
 				return
 			}
 		} else {
-			if err := session.Man.ShiftExpiration(ctx); err != nil {
-				ctx.StatusCode(iris.StatusInternalServerError)
-				ctx.Values().Set("message", fmt.Errorf("shift expiration falied, err: %v", err))
-				return
-			}
 			ctx.StatusCode(iris.StatusOK)
 			ctx.Values().Set("data", loginUser != nil)
 		}
@@ -167,8 +162,14 @@ func (h *Handler) Login() iris.Handler {
 			ctx.Values().Set("token", token)
 			return
 		default:
-			session := server.SessionMgr.Start(ctx)
-			session.Set("profile", profile)
+			sId := ctx.GetCookie(server.SessionCookieName)
+			if sId != "" {
+				ctx.RemoveCookie(server.SessionCookieName)
+				ctx.Request().Header.Del("Cookie")
+			}
+			sess := server.SessionMgr.Start(ctx)
+			ctx.SetCookieKV(server.SessionCookieName, sess.ID())
+			sess.Set("profile", profile)
 		}
 
 		ctx.StatusCode(iris.StatusOK)
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -31,7 +31,7 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-const sessionCookieName = "SESS_COOKIE_KUBEPI"
+const SessionCookieName = "SESS_COOKIE_KUBEPI"
 
 var SessionMgr *sessions.Sessions
 
@@ -149,7 +149,7 @@ func (e *KubePiServer) setUpStaticFile() {
 }
 
 func (e *KubePiServer) setUpSession() {
-	SessionMgr = sessions.New(sessions.Config{Cookie: sessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour})
+	SessionMgr = sessions.New(sessions.Config{Cookie: SessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour})
 	e.rootRoute.Use(SessionMgr.Handler())
 }
 

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`"github.com/kataras/iris/v12/context"`
`8`	`8`	`)`
`9`	`9`
`10`		`-func (h Handler) UpdateProfile() iris.Handler {`
	`10`	`+func (h *Handler) UpdateProfile() iris.Handler {`
`11`	`11`	`return func(ctx *context.Context) {`
`12`	`12`	`var req ProfileSetter`
`13`	`13`	`if err := ctx.ReadJSON(&req); err != nil {`
`@@ -50,7 +50,7 @@ func (h Handler) UpdateProfile() iris.Handler {`
`50`	`50`	`ctx.Values().Set("data", "ok")`
`51`	`51`	`}`
`52`	`52`	`}`
`53`		`-func (h Handler) UpdatePassword() iris.Handler {`
	`53`	`+func (h *Handler) UpdatePassword() iris.Handler {`
`54`	`54`	`return func(ctx *context.Context) {`
`55`	`55`	`var pass PasswordSetter`
`56`	`56`	`if err := ctx.ReadJSON(&pass); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ import (`
`31`	`31`	`"github.com/sirupsen/logrus"`
`32`	`32`	`)`
`33`	`33`
`34`		`-const sessionCookieName = "SESS_COOKIE_KUBEPI"`
	`34`	`+const SessionCookieName = "SESS_COOKIE_KUBEPI"`
`35`	`35`
`36`	`36`	`var SessionMgr *sessions.Sessions`
`37`	`37`
`@@ -149,7 +149,7 @@ func (e *KubePiServer) setUpStaticFile() {`
`149`	`149`	`}`
`150`	`150`
`151`	`151`	`func (e *KubePiServer) setUpSession() {`
`152`		`- SessionMgr = sessions.New(sessions.Config{Cookie: sessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour})`
	`152`	`+ SessionMgr = sessions.New(sessions.Config{Cookie: SessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour})`
`153`	`153`	`e.rootRoute.Use(SessionMgr.Handler())`
`154`	`154`	`}`
`155`	`155`