diff --git a/acl/list_sessions.cgi b/acl/list_sessions.cgi index fa30c3780..6d11246c9 100755 --- a/acl/list_sessions.cgi +++ b/acl/list_sessions.cgi @@ -37,6 +37,7 @@ foreach my $k (sort { my @a = split(/\s+/, $sessiondb{$a}); next if ($k =~ /^1111111/); my ($user, $ltime, $lip) = split(/\s+/, $sessiondb{$k}); next if ($user =~ /^\!/ && !$in{'logouts'}); + next if ($user =~ /^-/); next if ($miniserv{'logouttime'} && $time_now - $ltime > $miniserv{'logouttime'}*60); my @cols; diff --git a/miniserv.pl b/miniserv.pl index 3cccffd57..6a9526566 100755 --- a/miniserv.pl +++ b/miniserv.pl @@ -1108,7 +1108,7 @@ while(1) { $time_now - $ltime > $lot*60 && !$notimeout) { # Session has timed out - print $outfd "1 ",$time_now - $ltime,"\n"; + print $outfd "1 ",($time_now - $ltime),"\n"; #delete($sessiondb{$skey}); } elsif ($ip && $vip && $ip ne $vip && @@ -1806,19 +1806,28 @@ if ($config{'session'} && !$deny_authentication && } } elsif ($in{'session'}) { - # Session ID given .. put it in the cookie if valid + # Session ID given, perhaps from a single-use login link. local $sid = $in{'session'}; if ($sid =~ /\r|\n|\s/) { &http_error(500, "Invalid session", "Session ID contains invalid characters"); } print $PASSINw "verify $sid 0 $acptip\n"; - <$PASSOUTr> =~ /(\d+)\s+(\S+)/; + <$PASSOUTr> =~ /^(\d+)\s+(\S+)/; if ($1 != 2) { &http_error(500, "Invalid session", "Session ID is not valid"); } + + # If this was a one-time session ID link, the username will + # have a - prefix to prevent it from being used as a regular + # session. local $vu = $2; + $vu =~ s/^-//; + + # Clear this one-time session, and issue a new one + print $PASSINw "delete $sid\n"; + local $louser = <$PASSOUTr>; local $hrv = &handle_login( $vu, $vu ? 1 : 0, 0, 0, undef, 1, 0);