From 18b3a48e842d1e13b5a8505f8fd18069836d8fa5 Mon Sep 17 00:00:00 2001
From: jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>
Date: Mon, 26 Aug 2013 03:04:28 +0000
Subject: Fix handling of login session expiration and incorrect caching of
 login redirect responses.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1517413 13f79535-47bb-0310-9956-ffa450edef68
---
 sca-cpp/trunk/modules/http/openauth.hpp | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

(limited to 'sca-cpp/trunk/modules/http/openauth.hpp')

diff --git a/sca-cpp/trunk/modules/http/openauth.hpp b/sca-cpp/trunk/modules/http/openauth.hpp
index 70c6f658ad..d448311cca 100644
--- a/sca-cpp/trunk/modules/http/openauth.hpp
+++ b/sca-cpp/trunk/modules/http/openauth.hpp
@@ -71,6 +71,16 @@ const maybe<string> sessionID(const request_rec* const r, const string& key) {
     return sessionID(tokenize(";", c), key);
 }
 
+/**
+ * Convert a number of seconds to an expiration date.
+ */
+const string expires(const int s) {
+    const time_t t = time(NULL) + s;
+    char exp[32];
+    strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t));
+    return string(exp);
+}
+
 /**
  * Convert a session id to a cookie string.
  */
@@ -80,10 +90,8 @@ const string cookie(const string& key, const string& sid, const string& domain)
         debug(c, "openauth::cookie");
         return c;
     }
-    const time_t t = time(NULL) + 86400;
-    char exp[32];
-    strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t));
-    const string c = key + string("=") + sid + "; expires=" + string(exp) + "; domain=." + httpd::realm(domain) + "; path=/; secure; httponly";
+    const string exp = "604800";
+    const string c = key + string("=") + sid + (length(exp) != 0? string("; max-age=") + exp : emptyString)  + "; domain=." + httpd::realm(domain) + "; path=/; secure; httponly";
     debug(c, "openauth::cookie");
     return c;
 }
@@ -92,6 +100,16 @@ const string cookie(const string& key, const string& sid, const string& domain)
  * Redirect to the configured login page.
  */
 const failable<int> login(const string& page, const value& ref, const value& attempt, request_rec* const r) {
+
+    // Don't redirect non-cacheable requests, just respond with an uncacheable 403 response
+    const char* cc = apr_table_get(r->headers_in, "X-Cache-Control");
+    if(cc != NULL && !strcmp(cc, "no-cache")) {
+        apr_table_setn(r->headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
+        apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
+        return HTTP_FORBIDDEN;
+    }
+
+    // Redirect to the login page
     const list<value> rarg = ref == string("/")? nilListValue : mklist<value>(mklist<value>("openauth_referrer", httpd::escape(httpd::url(isNull(ref)? r->uri : ref, r))));
     const list<value> aarg = isNull(attempt)? nilListValue : mklist<value>(mklist<value>("openauth_attempt", attempt));
     const list<value> largs = append(rarg, aarg);
-- 
cgit v1.2.3