everywhere: use different session cookie names

If the user is hosting the dashboard in the same domain as their blog (with a nginx suburi, for example), the two session cookies clash; logging into one service logs you out of the other. With this patch, both have separate names. Fixes https://gitlab.com/commento/commento-ce/issues/49
2018-06-20 08:59:55 +05:30
parent 76a286d884
commit ef0f45527a
45 changed files with 189 additions and 282 deletions
--- a/api/owner_login.go
+++ b/api/owner_login.go
@@ -34,24 +34,24 @@ func ownerLogin(email string, password string) (string, error) {
 		return "", errorInvalidEmailPassword
 	}

-	session, err := randomHex(32)
+	ownerToken, err := randomHex(32)
 	if err != nil {
-		logger.Errorf("cannot create session hex: %v", err)
+		logger.Errorf("cannot create ownerToken: %v", err)
 		return "", errorInternal
 	}

 	statement = `
 		INSERT INTO
-		ownerSessions (session, ownerHex, loginDate)
-		VALUES        ($1,      $2,       $3       );
+		ownerSessions (ownerToken, ownerHex, loginDate)
+		VALUES        ($1,         $2,       $3       );
 	`
-	_, err = db.Exec(statement, session, ownerHex, time.Now().UTC())
+	_, err = db.Exec(statement, ownerToken, ownerHex, time.Now().UTC())
 	if err != nil {
-		logger.Errorf("cannot insert session token: %v\n", err)
+		logger.Errorf("cannot insert ownerSession: %v\n", err)
 		return "", errorInternal
 	}

-	return session, nil
+	return ownerToken, nil
 }

 func ownerLoginHandler(w http.ResponseWriter, r *http.Request) {
@@ -66,11 +66,11 @@ func ownerLoginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	session, err := ownerLogin(*x.Email, *x.Password)
+	ownerToken, err := ownerLogin(*x.Email, *x.Password)
 	if err != nil {
 		writeBody(w, response{"success": false, "message": err.Error()})
 		return
 	}

-	writeBody(w, response{"success": true, "session": session})
+	writeBody(w, response{"success": true, "ownerToken": ownerToken})
 }