var room_number = 0;\r
if(typeof(req.query.rno) != "undefined")\r
room_number = req.query.rno;\r
- res.render("chat",{rno:room_number,token:info.token});\r
+ res.render("chat",{rno:room_number,token:req.session._csrf});\r
}\r
\r
function auth_proc(user, pass) {\r
}\r
\r
function admin_postproc(req,res){\r
- if(req.session.items.token != req.body.token)\r
- {\r
- res.send(resource.invaild_token_message);\r
- return;\r
- }\r
if(typeof(req.body.erase) != "undefined")\r
{\r
removeLog(req.body.file,function(){\r
files: list,\r
log_directory:$log_directory,\r
ipbanlist:iplist,\r
- token:info.token,\r
+ token:req.session._csrf,\r
roomlist:$rooms.GetString()\r
});\r
});\r
result = "failed get from session store";\r
else if(err)\r
result = err;\r
- else if(handshakeData.query.token != session.items.token)\r
+ else if(handshakeData.query.token != session._csrf)\r
result = "invaild token";\r
if(typeof(session) != "undefined" && result == null)\r
handshakeData.sessionID = sessionID;\r
store:sessionStore,\r
cookie: { httpOnly: false }\r
}));\r
+ app.use(express.csrf());\r
app.use(app.router);\r
app.use(express.static(__dirname + "/public"));\r
});\r
app.use(express.errorHandler()); \r
});\r
\r
-if(config.enable_profile)\r
- require("./profile")(app);\r
-\r
var server = http.createServer(app).listen(config.port);\r
console.log("Express server listening on port %d in %s mode", config.port, app.settings.env);\r
\r
require("./chat")(app,server,express,sessionStore);\r
+\r
+if(config.enable_profile)\r
+ require("./profile")(app);\r
if(err != null)\r
RenderMessage(res,err,info);\r
else{\r
- result.token = info.token;\r
+ result.token = req.session._csrf;\r
res.setHeader("X-FRAME-OPTIONS","DENY");\r
res.render("profile/admin",result);\r
}\r
\r
function admin_postproc(req,res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
async.waterfall([\r
function(cb){\r
if(typeof(req.body.removeall) != "undefined")\r
RenderMessage(res,resource.notfound_name,req.session.items);\r
else{\r
res.setHeader("X-FRAME-OPTIONS","DENY");\r
- res.render("profile/detail",{list:result,token:req.session.items.token,admin:req.session.items.admin});\r
+ res.render("profile/detail",{list:result,token:req.session._csrf,admin:req.session.items.admin});\r
}\r
});\r
}\r
\r
function detail_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.remove) != "undefined"){\r
async.waterfall([\r
function(cb){\r
RenderMessage(res,err,req.session.items);\r
}else if(result != null){\r
res.setHeader("X-FRAME-OPTIONS","DENY");\r
- res.render("profile/edit",{list:result,token:req.body.token});\r
+ res.render("profile/edit",{list:result,token:req.session._csrf});\r
}else{\r
RenderMessage(res,resource.unmatch_password,req.session.items);\r
}\r
\r
function edit_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.name) == "undefined")\r
{\r
RenderMessage(res,resource.invaild_parameter,req.session.items);\r
\r
function registor_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.registor) != "undefined"){\r
async.waterfall([\r
function(cb){\r
req.session.items = new security.SessionInfomation(false);\r
\r
res.setHeader("X-FRAME-OPTIONS","DENY");\r
- res.render("profile/registor",{token:req.session.items.token});\r
+ res.render("profile/registor",{token:req.session._csrf});\r
}\r
\r
function RenderMessage(res,msg,info)\r
{\r
- if(typeof(info) == "undefined")\r
- res.render("profile/message",{message:msg});\r
+ if(typeof(info) == "undefined" || typeof(info.admin) == "undefined")\r
+ res.render("profile/message",{message:msg,admin:false});\r
else\r
res.render("profile/message",{message:msg,admin:info.admin});\r
}\r
</tr>\r
<% } %>\r
</table>\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<input type="submit" name="erase" value="削除"/>\r
</form>\r
</div>\r
<p>IPBANリスト</p>\r
<textarea name="newbanlist" rows="4" cols="40"><%= ipbanlist %></textarea>\r
<br/>\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<input type="submit" name="registor" value="登録">\r
</form>\r
</div>\r
<p>ルームリスト</p>\r
<textarea name="newroomlist" rows="4" cols="40"><%= roomlist %></textarea>\r
<br/>\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<input type="submit" name="updateroom" value="登録">\r
</form>\r
</div>\r
<div id="chat_frame" style="display:none">\r
<form name="chat_form" accept-charset="UTF-8">\r
<input type="hidden" name="rno" value="<%= rno %>"></input>\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<p>発言<textarea type="text" name="message" value=""></textarea></p>\r
<p>\r
<input type="button" name="sid" value="発言"></input>\r
</tr>\r
<% } %>\r
</table>\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<input type="submit" value="全削除" name="removeall"/>\r
<input type="submit" value="削除" name="remove"/>\r
</form>\r
<p><%= list[0].etc %></p>\r
</div>\r
<form action="/profile/detail" method="POST">\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<input type="hidden" value="<%= list[0].name %>" name="name"/>\r
<input type="submit" value="編集" name="edit"/>\r
<input type="submit" value="削除" name="remove"/>\r
<td><textarea name="etc" rows="4" cols="50"><%= list[0].etc %></textarea></td>\r
</tr>\r
</table>\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<input type="submit" value="編集" name="edit"/>\r
</form>\r
</div>\r
<td><textarea name="etc" rows="4" cols="50"></textarea></td>\r
</tr>\r
</table>\r
- <input type="hidden" name="token" value="<%= token %>"></input>\r
+ <input type="hidden" name="_csrf" value="<%= token %>"></input>\r
<input type="submit" value="登録" name="registor"/>\r
</form>\r
</div>\r
document.chat_form.onsubmit = function(){return false;};\r
document.enter_form.onsubmit = function(){return false;};\r
\r
- $socket = io.connect(location.hostname + "/" + document.chat_form.rno.value + "?token="+ encodeURIComponent(document.chat_form.token.value));\r
+ $socket = io.connect(location.hostname + "/" + document.chat_form.rno.value + "?token="+ encodeURIComponent(document.chat_form._csrf.value));\r
$socket.on("error",getErrorMessage);\r
$socket.on("send roominfo",sendRoomInfoListerner);\r
$socket.on("send romcount",sendRomCountListerner);\r
-var $token_length = 32; //トークンの長さ\r
-\r
-module.exports.SessionInfomation = function(admin){\r
- this.token = GetToken($token_length);\r
+module.exports.SessionInfomation = function(admin){\r
this.admin = admin;\r
};\r
-\r
-function GetToken(length){\r
- var RandomString = "";\r
- var BaseString ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";\r
- for(var i=0; i < length; i++) {\r
- RandomString += BaseString.charAt( Math.floor( Math.random() * BaseString.length));\r
- }\r
- return RandomString;\r
-};\r