Previously, only the first return value of ctx.GetSuperSecureCookie was used to check whether decryption of the auth cookie succeeded. ctx.GetSuperSecureCookie also returns a second value, a boolean, indicating success or not. That value should be checked first to be on the safe side and not rely on internal logic of the encryption and decryption blackbox.

4 years ago · 96b66e330b
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -71,8 +71,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, nil
 	}

 	if val, _ := ctx.GetSuperSecureCookie(
 		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); val != u.Name {
 	if val, ok := ctx.GetSuperSecureCookie(
 		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
 		return false, nil
 	}