185dbcc2ba84d6eb1301163b926ebed3177cd379 angie Thu May 19 04:42:20 2016 -0700 Several revisions to login cookie-checking after helpful code review by Max: Use /dev/urandom instead of srand(clock1000()), duh. Instead of forming cookie strings in both wikiLink.c and hgLogin.c, form them all in wikiLink.c so they're consistent. The wikiLink routines now return (possibly empty) slName lists of cookie strings to be set. The login system uses new cookie names that default to a concatentation of central.cookie (which needs to have one name per central database, like hguid for RR hgcentral and hguid.genome-test for hgcentraltest) and either optional new config params login.tokenCookie and login.userNameCookie or central.cookie concatenated with hgLoginToken and hgLoginUserName (because login uses the central db, so it's different for hgwdev vs RR). If those cookies are not set but the wiki cookies are set, then we accept the wiki cookie values and send out the new cookies, removing the wiki cookies the first time that happens. The login system no longer depends on any wiki.* hg.conf settings. refs #17336, #17327 diff --git src/hg/lib/cart.c src/hg/lib/cart.c index 7d8ed3f..a16e65b 100644 --- src/hg/lib/cart.c +++ src/hg/lib/cart.c @@ -472,31 +472,31 @@ #ifndef GBROWSE void cartLoadUserSession(struct sqlConnection *conn, char *sessionOwner, char *sessionName, struct cart *cart, struct hash *oldVars, char *actionVar) /* If permitted, load the contents of the given user's session, and then * reload the CGI settings (to support override of session settings). * If non-NULL, oldVars will contain values overloaded when reloading CGI. * If non-NULL, actionVar is a cartRemove wildcard string specifying the * CGI action variable that sent us here. */ { struct sqlResult *sr = NULL; char **row = NULL; /* Validate login cookies if login is enabled */ if (loginSystemEnabled()) { - loginSystemValidateCookies(); + loginValidateCookies(cart); } char *userName = wikiLinkUserName(); char *encSessionName = cgiEncodeFull(sessionName); char *encSessionOwner = cgiEncodeFull(sessionOwner); char query[512]; if (isEmpty(sessionOwner)) errAbort("Please go back and enter a wiki user name for this session."); if (isEmpty(sessionName)) errAbort("Please go back and enter a session name to load."); sqlSafef(query, sizeof(query), "SELECT shared, contents FROM %s " "WHERE userName = '%s' AND sessionName = '%s';", namedSessionTable, encSessionOwner, encSessionName); sr = sqlGetResult(conn, query); @@ -1552,33 +1552,33 @@ cookieName, userIdKey, cookieDate()); } if (geoMirrorEnabled()) { // This occurs after the user has manually choosen to go back to the original site; we store redirect value into a cookie so we // can use it in subsequent hgGateway requests before loading the user's cart char *redirect = cgiOptionalString("redirect"); if (redirect) { printf("Set-Cookie: redirect=%s; path=/; domain=%s; expires=%s\r\n", redirect, cgiServerName(), cookieDate()); } } /* Validate login cookies if login is enabled */ if (loginSystemEnabled()) { - char *loginCookieString = loginSystemValidateCookies(); - if (loginCookieString) - printf("Set-Cookie: %s", loginCookieString); + struct slName *newCookies = loginValidateCookies(cart), *sl; + for (sl = newCookies; sl != NULL; sl = sl->next) + printf("Set-Cookie: %s\r\n", sl->name); } } struct cart *cartForSession(char *cookieName, char **exclude, struct hash *oldVars) /* This gets the cart without writing any HTTP lines at all to stdout. */ { char *hguid = getCookieId(cookieName); char *hgsid = getSessionId(); struct cart *cart = cartNew(hguid, hgsid, exclude, oldVars); cartExclude(cart, sessionVar); if (sameOk(cfgOption("signalsHandler"), "on")) /* most cgis call this routine */ initSigHandlers(hDumpStackEnabled()); char *httpProxy = cfgOption("httpProxy"); /* most cgis call this routine */ if (httpProxy)