使用本地SID二次校验增强管理系统安全性

internal/web/helpers/user_must_auth.go

@@ -200,18 +200,22 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 	}
 
 	// 检查区域
-	if securityConfig != nil && securityConfig.CheckClientRegion {
-		var oldClientIP = session.GetString("@ip")
-		var currentClientIP = loginutils.RemoteIP(action)
-		if len(oldClientIP) > 0 && len(currentClientIP) > 0 && oldClientIP != currentClientIP {
-			var oldRegion = loginutils.LookupIPRegion(oldClientIP)
-			var newRegion = loginutils.LookupIPRegion(currentClientIP)
-			if newRegion != oldRegion {
+	var oldClientIP = session.GetString("@ip")
+	var currentClientIP = loginutils.RemoteIP(action)
+	if len(oldClientIP) > 0 && len(currentClientIP) > 0 && oldClientIP != currentClientIP {
+		var oldRegion = loginutils.LookupIPRegion(oldClientIP)
+		var newRegion = loginutils.LookupIPRegion(currentClientIP)
+		if newRegion != oldRegion {
+			if securityConfig != nil && securityConfig.CheckClientRegion {
 				loginutils.UnsetCookie(action)
 				session.Delete()
 
 				this.login(action)
 				return false
+			} else {
+				// TODO 考虑IP变化时也需要验证，主要是考虑被反向代理的情形
+				action.RedirectURL("/login/validate?from=" + url.QueryEscape(action.Request.URL.String()))
+				return false
 			}
 		}
 	}

internal/web/helpers/user_should_auth.go

@@ -60,12 +60,13 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN
 }
 
 // StoreAdmin 存储用户名到SESSION
-func (this *UserShouldAuth) StoreAdmin(adminId int64, remember bool) {
+func (this *UserShouldAuth) StoreAdmin(adminId int64, remember bool, localSid string) {
 	loginutils.SetCookie(this.action, remember)
 	var session = this.action.Session()
 	session.Write("adminId", numberutils.FormatInt64(adminId))
 	session.Write("@fingerprint", loginutils.CalculateClientFingerprint(this.action))
 	session.Write("@ip", loginutils.RemoteIP(this.action))
+	session.Write("@localSid", localSid)
 }
 
 func (this *UserShouldAuth) IsUser() bool {