From 5c859e6fef5c2b26a5727397027ce758aad1b8ff Mon Sep 17 00:00:00 2001 From: "psyc://loupsycedyglgamf.onion/~lynX" Date: Wed, 1 Aug 2018 21:35:05 +0200 Subject: [PATCH] challenge: expire the cookie diligently --- world/net/include/place.gen | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/world/net/include/place.gen b/world/net/include/place.gen index a025557..feb6660 100644 --- a/world/net/include/place.gen +++ b/world/net/include/place.gen @@ -619,13 +619,14 @@ htget(prot, query, headers, qs) { // maybe this all belongs into archetype.gen.. chesmo! htget(prot, query, headers, qs, data, noprocess) { + string item = headers[item] || "/@"+ MYNICK; if (stringp(headers["cookie"]) && regmatch(headers["cookie"], "challenge=complete&answer="+ md5(CHALLENGE_MATCH))) { CHALOG("completes"); htnotify(query, headers, "_accomplished_web", "Challenge accomplished in [_nick_place] by [_web_on] coming from [_web_from]."); # ifdef CHALLENGE_REDIRECT - return htredirect(prot, CHALLENGE_REDIRECT); + return htredirect(prot, CHALLENGE_REDIRECT, "There you go", 0, "Set-Cookie: psycplace=\"challenge=done\"; Path="+ item +"; Secure; Max-Age=9\n"); # else # ifdef HTGET // you may want to output a player iframe instead of a redirect... @@ -635,7 +636,6 @@ htget(prot, query, headers, qs, data, noprocess) { # endif # endif } - string item = headers[item] || "/@"+ MYNICK; if (stringp(query["answer"]) && headers["cookie"] && regmatch(headers["cookie"], "challenge=given") && regmatch(lower_case(query["answer"]), CHALLENGE_MATCH)) { @@ -644,14 +644,14 @@ htget(prot, query, headers, qs, data, noprocess) { strlen(query["parameters"]) ? item +"?"+ query["parameters"] : item; CHALOG("reloads"); - htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer="+ md5(CHALLENGE_MATCH) +"\"; path="+ item +";\n"); + htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer="+ md5(CHALLENGE_MATCH) +"\"; Path="+ item +"; Secure; Max-Age=99\n"); return 1; } sTextPath(query["layout"], query["lang"], "html"); // using a non-psyced cookie here so that you can't construct a // url that allows other people to bypass the challenge. // could add a timeout here... - htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; path="+ item +";\n"); + htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; Path="+ item +"; Secure; Max-Age=999\n"); CHALOG("challenges"); w("_PAGES_group_challenge", 0, ([ "_challenge" : htquote(CHALLENGE_QUESTION),