diff --git a/core/server.js b/core/server.js index b9b72630d4..4c0e447a4a 100644 --- a/core/server.js +++ b/core/server.js @@ -275,14 +275,9 @@ when(ghost.init()).then(function () { // Session handling // Pro tip: while in development mode cookieSession can be used // to keep you logged in while restarting the server - server.use(express.cookieParser()); - if (process.env.NODE_ENV === 'development' - && ghost.config().hasOwnProperty('useCookieSession') - && ghost.config().useCookieSession) { - server.use(express.cookieSession({ secret: ghost.dbHash, cookie: { maxAge: 60000000 }})); - } else { - server.use(express.session({ secret: ghost.dbHash, cookie: { maxAge: 60000000 }})); - } + server.use(express.cookieParser(ghost.dbHash)); + server.use(express.cookieSession({ cookie : { maxAge: 12 * 60 * 60 * 1000 }})); + //enable express csrf protection server.use(express.csrf()); diff --git a/core/server/controllers/admin.js b/core/server/controllers/admin.js index 7accbaa9be..fad7fa5b31 100644 --- a/core/server/controllers/admin.js +++ b/core/server/controllers/admin.js @@ -136,21 +136,9 @@ adminControllers = { if (!denied) { loginSecurity.push({ip: req.connection.remoteAddress, time: process.hrtime()[0]}); api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) { - if (process.env.NODE_ENV === 'development' - && ghost.config().hasOwnProperty('useCookieSession') - && ghost.config().useCookieSession) { - req.session.user = user.id; - res.json(200, {redirect: req.body.redirect ? '/ghost/' - + decodeURIComponent(req.body.redirect) : '/ghost/'}); - } else { - req.session.regenerate(function (err) { - if (!err) { - req.session.user = user.id; - res.json(200, {redirect: req.body.redirect ? '/ghost/' - + decodeURIComponent(req.body.redirect) : '/ghost/'}); - } - }); - } + req.session.user = user.id; + res.json(200, {redirect: req.body.redirect ? '/ghost/' + + decodeURIComponent(req.body.redirect) : '/ghost/'}); }, function (error) { res.json(401, {error: error.message}); }); @@ -190,23 +178,10 @@ adminControllers = { password: password }).then(function (user) { api.settings.edit('email', email).then(function () { - if (process.env.NODE_ENV === 'development' - && ghost.config().hasOwnProperty('useCookieSession') - && ghost.config().useCookieSession) { - if (req.session.user === undefined) { - req.session.user = user.id; - } - res.json(200, {redirect: '/ghost/'}); - } else { - req.session.regenerate(function (err) { - if (!err) { - if (req.session.user === undefined) { - req.session.user = user.id; - } - res.json(200, {redirect: '/ghost/'}); - } - }); + if (req.session.user === undefined) { + req.session.user = user.id; } + res.json(200, {redirect: '/ghost/'}); }); }).otherwise(function (error) { res.json(401, {error: error.message}); @@ -254,13 +229,7 @@ adminControllers = { }).otherwise(errors.logAndThrowError); }, 'logout': function (req, res) { - if (process.env.NODE_ENV === 'development' - && ghost.config().hasOwnProperty('useCookieSession') - && ghost.config().useCookieSession) { - delete req.session.user; - } else { - req.session.destroy(); - } + req.session = null; var notification = { type: 'success', message: 'You were successfully signed out', @@ -400,13 +369,7 @@ adminControllers = { }; return api.notifications.add(notification).then(function () { - if (process.env.NODE_ENV === 'development' - && ghost.config().hasOwnProperty('useCookieSession') - && ghost.config().useCookieSession) { - delete req.session.user; - } else { - req.session.destroy(); - } + req.session = null; res.set({ "X-Cache-Invalidate": "/*" });